Wednesday, March 5, 2014

Time to add a word

Time to add a word

For the average user I now recommend a passphrase with six Diceware words, or five words with one extra character chosen and placed at random. 

This is a change from my previous advice. Since Diceware was created in 1995, I have recommended five words as a suitable passphrase length for an average user.  For people with more stringent requirements and where the passphrase was being used directly to form a cryptographic key, I have suggested 6 words or more.

I had previously written that longer Diceware passphrases might be vulnerable by about 2014. Well it's 2014. Today criminal gangs probably have access to more computing power then the NSA did when this page first appeared. So I am upping my passphrase length advice by one word.

To understand why, here is an article about a password cracking machine built using 25 AMD Radeon graphics cards. It can test 350 billion possible password per second using Microsoft Windows’ NTLM password algorithm. They claim they can crack a random 8-character password in under six hours. At that speed, attacking a 5-word Diceware passphrase would take on average of 7,300 hours or 10 months to find the correct passphrase, assuming they knew you were using Diceware and developed equally efficient software designed to try only valid Diceware words. And NTLM is one of the easier password hashing algorithms to attack.

Criminal gangs have built botnets from thousands of computers infected with their malware. Marshaling large numbers of these computers they control might allow them to crack a five word passphrase in a reasonable amount of time. But tying up thousands of computers is probably more effort than criminals would want to expend on an average person’s data. They have many potential victims with weaker passwords that take much less work to exploit.

Still computer power keeps increasing, especially in advanced graphics processors, which are easily adapted to cracking work. Five words would still be enough for most uses if software designers used good key stretching, but too many do not and it is hard to know for sure which do. So I felt it was time to recommend that longer passphrases start being used. If you are using a 5 word passphrase, consider adding a random character as I suggest at It will make your passphrase about a thousand time more difficult to crack. Adding a sixth word makes it 7776 times harder. Take your pick, and read the FAQ for more information.


  1. This blog post is the subject of an article by
    Jon Brodkin on Ars Technia:

  2. [Disclosure: I work for AgileBits,the makers of 1Password]

    It is important to note how the passphrase is hashed. If, for example, something like scrypt is used or the hashing involves HMAC-SHA512, such as in PBKDF2-HMAC-SHA512 then GPUs don't do much for you.

    For example (shameless plug), extrapolating from the results that hashcat has achieved agains the 1Password Master Password[1], a fleet of GPUs would still only be making on the order of 10s of thousands of guesses per second.


  3. Hang on, this issue is specific to attacking the HASH. Since NTLM is a non-salted hash then attacking the Active directory SAM database is a nice ripe target. But as JPgoldberg said, if you use one of the better hashing methods, this is a much smaller problem.

    And that's the trick, really. We're relying on our service providers to use strong hashing algorithms. If they do that, then the attack vector - as shown in the 1Password blog - is mostly password guessing against an interactive system (login page), or against a secure data store protected with a master password.

    It's time for the whole password argument to focus on the hash algorithm and key derivation function rather than the password length.

  4. I don't know how to get my name in the heading: Dick99999

    The FAQ states: "Six or more words should be on systems that use the passphrase directly to form a transmission or encryption key. Such systems include Hushmail, disk encryption (e.g. Apple's FileVault), Ciphersaber, and WiFi's WPA."

    The 25 AMD Radeon graphics cards system proves that there is a great variation in cracking capability for different algorithms. Isn't it also time to make the 6 word (which is a lot on a phone) advise dependent on the application?

    For example a simple list such as:
    - for LastPass, use x1 words, based on PBKDF2 / SHA256 / 5000x
    - for 7ZIP, use x2 words, PBKDF2 / SHA256 / 262144x
    - for WiFi-WPA2 use x3 words PBKDF2 / SHA1 / 4096x
    - for TrueCrypt use x4 words RipeMD160/ AES / 2000x