Thursday, April 14, 2011

A common Diceware question

Here is an e-mail I received today and my reply:
>It is way more random and therefore safer for WPA.
>I mean, words are cool, but they are just that --
>a string with  random printable ASCII characters is
>certainly harder to crack, it seems.
>Indian mathematician in training
It's true that random characters provide more security (entropy) for a string of the same length, but for many people words are easier to remember. For example a 7 word Diceware(tm) phrase has about the same entropy as a 20 letter random string.  As my FAQ explains, you can also generate random characters using dice if you prefer.
As for the GRC site, they say they are not generating true random numbers, but using a pseudo-random algorithm. The algorithm they say they are using isn't terrible, but you are relying on them to be doing what they say and to be sure that their server has not been hacked. There is really no way to audit that. Dice, on the other hand, are completely secure and truly random.
Best wishes,