I had a friend doing QA for an app in 1999 that attempted to derive entropy in a similar manner (random mouse movements). It turns out movement biases decreased the entropy by at least a factor of a hundred, and he could generally brute force the key in 10-20k tries.
So, the best chance you have in your case, is to not tell anyone how you derived your passwords! BWAHAHAHAHA!!
Yeah, that’s why I have the third party announcing “stop” and the coin flip. I suppose I could ROT[arbitrary integer] the string to make it more (less?) opaque, but that would be planting a flag on entropy mountain, by that point.
I could also engage in a Brechtian password generation scheme where I flip three pennies.
My experience has been that every workplace and every household depends upon shared and reused passwords, that in fact the more important the password is, the more likely it is openly shared.
Most security best practices are at odds with how people live and work, and people will bypass them at the drop of a hat. I’ve been in a few situations in which someone did play by the rules, and it provoked a crisis: the only person who had access to some system was out of town and not answering their phone.
Late to the punch but… I had a simple way of generating unique passwords for every site, and it lasted about a day until I ran into sites that needed arbitrary requirements (2 capitals, 3 numbers, one nonstandard character, and can’t be a real word, or share 2 congruent characters with any password you’ve had in 20 years). So I’m back to knowing roughly my passwords, but still need to enter them 3 times per site, to get it right, or just do a reset every time I clear my cookies.
I prefer having a weak password, and email confirmation/SMS (worthless against the government), or having 2-factor authentication over trying to maintain a strong password regime when sites have arbitrary rules.
I was actually enjoying geeking out on your ability to try and make this as perfect as possible — in contrast to the nay-sayers above. I’m the kind of person who, when I need to throw out my credit card, I cut each number out, cut them in half, drop them in different trash cans, hold some back for a different trash day, scratch the magnet, melt it with a lighter, cut it and throw it into different cans… not because I think anyone’s going to steal my info, but because the little kid in me still enjoys it.
So I was enjoying 1,600 words in the same vein — going to absurd lengths to squeeze out a fraction of a percentage point more entropy — and then you dropped that bombshell.
That literally destroyed all that effort with that one line.
You said it yourself. We’re terrible at being random, and the easy passphrases we want to remember are based on English syntax, easy words, and memorable combinations. All these things reduce entropy. So if you give me a random collection of six words, and I say “…nah, I don’t like those, give me another,” there’s an entropy-reducing reason I said that. I wouldn’t have said it if they were six easy words that formed a nice memorable sentence.
It wouldn’t have mattered so much either way — it’s still going to have a ridiculous amount of entropy even if you let me choose from 1000 different sentences, but it just completely defeated the purpose of going all theoretical in the selection of perfect dice and rolling methods, since that increases entropy by such a minuscule amount, much, much less than the human-selection decreases entropy.
I use story dice. Roll the nine die, organise them into a line, take the first letter associated with the picture (which might be ‘face’ or ‘smile’ or ‘mouth’ for the smiley face, depending on how I feel at that moment in time), add a digit between 1 and 9 to either the front or back of the letter string, and I’m good to go. I end up with having to remember a number and three sets of three letters, which is a bit easier than it sounds. I also write my passwords down because I asses that the security threat is not from people who have physical access to the place where the pwds are stored, but I do have a functionality threat in that if I forget my pwds I’m screwed.
Its not as security-geek secure as it could possibly be, but for me it produces much better pwds than I used to use, and it is a process I will actually perform to create pwds I actually use.
The article is a cryptic advertorial for that shoebox, isn’t it? Where can I buy that crocodile skin textured, hand stitched, felt lined box? Sure, I could buy dice, but then I’d be following instructions given to the herd like every other fool who comments on here. I want the exclusivity of being the only fool in possession of that specific crocodile skin dice rolling shoebox
Meta-fetishism. That shoebox is actually a 3-d printed replica of the original box (of which 5 were made by cobbler elves in Slovenia using felt from artisanally flocced wool from free-range sheep, the crocodile skin texture is impresssed from vat grown skin and this is cruelty free, unless your animal rights activities extend to cultured microbes, and why shouldn’t they!), I can’t find the Shapeways link at the moment, and you need the special floccy PLA polymer to print it.
Right, yes, exactly. I have a great system, them someone comes in an says, “But you must have one of these in it but none of these,” and then I’m just lost.
Yeah, I don’t even understand why one would do this method. Generate strong, random passwords, and then do a password manager that’s in a system that only involves 2-step verification. With devices that only allow X attempts before slowing to a crawl.
This is why a password manager is crucial. It eliminates the need for reused passwords, and the password manager (I know LastPass does this) allows for sharing of passwords between LastPass accounts without either party knowing what the password is.
One remembered passphrase to lock a password manager that generates limitless random passwords really is the way to go.