Wednesday, March 5, 2014

Time to add a word

Time to add a word

For the average user I now recommend a passphrase with six Diceware words, or five words with one extra character chosen and placed at random. 

This is a change from my previous advice. Since Diceware was created in 1995, I have recommended five words as a suitable passphrase length for an average user.  For people with more stringent requirements and where the passphrase was being used directly to form a cryptographic key, I have suggested 6 words or more.

I had previously written that longer Diceware passphrases might be vulnerable by about 2014. Well it's 2014. Today criminal gangs probably have access to more computing power then the NSA did when this page first appeared. So I am upping my passphrase length advice by one word.

To understand why, here is an article about a password cracking machine built using 25 AMD Radeon graphics cards. It can test 350 billion possible password per second using Microsoft Windows’ NTLM password algorithm. They claim they can crack a random 8-character password in under six hours. At that speed, attacking a 5-word Diceware passphrase would take on average of 7,300 hours or 10 months to find the correct passphrase, assuming they knew you were using Diceware and developed equally efficient software designed to try only valid Diceware words. And NTLM is one of the easier password hashing algorithms to attack.

Criminal gangs have built botnets from thousands of computers infected with their malware. Marshaling large numbers of these computers they control might allow them to crack a five word passphrase in a reasonable amount of time. But tying up thousands of computers is probably more effort than criminals would want to expend on an average person’s data. They have many potential victims with weaker passwords that take much less work to exploit.

Still computer power keeps increasing, especially in advanced graphics processors, which are easily adapted to cracking work. Five words would still be enough for most uses if software designers used good key stretching, but too many do not and it is hard to know for sure which do. So I felt it was time to recommend that longer passphrases start being used. If you are using a 5 word passphrase, consider adding a random character as I suggest at It will make your passphrase about a thousand time more difficult to crack. Adding a sixth word makes it 7776 times harder. Take your pick, and read the FAQ for more information.


  1. This blog post is the subject of an article by
    Jon Brodkin on Ars Technia:

  2. [Disclosure: I work for AgileBits,the makers of 1Password]

    It is important to note how the passphrase is hashed. If, for example, something like scrypt is used or the hashing involves HMAC-SHA512, such as in PBKDF2-HMAC-SHA512 then GPUs don't do much for you.

    For example (shameless plug), extrapolating from the results that hashcat has achieved agains the 1Password Master Password[1], a fleet of GPUs would still only be making on the order of 10s of thousands of guesses per second.


  3. Hang on, this issue is specific to attacking the HASH. Since NTLM is a non-salted hash then attacking the Active directory SAM database is a nice ripe target. But as JPgoldberg said, if you use one of the better hashing methods, this is a much smaller problem.

    And that's the trick, really. We're relying on our service providers to use strong hashing algorithms. If they do that, then the attack vector - as shown in the 1Password blog - is mostly password guessing against an interactive system (login page), or against a secure data store protected with a master password.

    It's time for the whole password argument to focus on the hash algorithm and key derivation function rather than the password length.

  4. I don't know how to get my name in the heading: Dick99999

    The FAQ states: "Six or more words should be on systems that use the passphrase directly to form a transmission or encryption key. Such systems include Hushmail, disk encryption (e.g. Apple's FileVault), Ciphersaber, and WiFi's WPA."

    The 25 AMD Radeon graphics cards system proves that there is a great variation in cracking capability for different algorithms. Isn't it also time to make the 6 word (which is a lot on a phone) advise dependent on the application?

    For example a simple list such as:
    - for LastPass, use x1 words, based on PBKDF2 / SHA256 / 5000x
    - for 7ZIP, use x2 words, PBKDF2 / SHA256 / 262144x
    - for WiFi-WPA2 use x3 words PBKDF2 / SHA1 / 4096x
    - for TrueCrypt use x4 words RipeMD160/ AES / 2000x

  5. This comment has been removed by the author.

  6. Well, I lost my original post.

    Thank your for the post. I appreciate your efforts to educate us about how to secure our information. When I first stumbled upon your diceware passphrase generator guide, I created all my passphrases to be 6 words long with 3 randomly generated characters randomly inserted into the 6 words with and addition at the end of the passphrase of some non-sensitive personal information. If I remember correctly adding such an appendage to the end of your passphrase will help keep it unique when its stored by the server. I hope that is my passphrases were well executed.

    Anyways, I'm quite a novice at all of this but I still enjoy learning and improving upon my ability to secure my personal information. I hope you can continue to help me and others learn more about cryptography.

    On another note, I can't figure out your ciphersaber 2.0. I have read your page and also have searched other sources discussing ciphersaber and yet I still cannot create nor use my own cipher.

    I have gone to these website for further information about ciphersaber.

    I hope you could elaborate on the process of creating a ciphersaber and how to use it correctly too. Or perhaps direct me to more websites detailing the process. Keep in mind that I have ZERO background in programming.

    Thanks for your help.

  7. You have shared really very good information.Thanks for this.

    Windows Thin Client & Zero Clients

  8. Instead of adding a word, I would think that increasing the size of the wordlist and adding an extra dice would be a better idea. I have searched for six dice wordlist, which would be 46656 words, but I couldn't find any. Does anybody here know any bigger word lists?

  9. From Dick99999
    A six word Diceware passphrase or a five word phrase form a 50.000 word dictionary are of about the same strength, I think looking at my calculation. That long dictionary will contain many long words so the character count might be comparable too. Also, a phrase based on 50K dictionary will contain many less known words. I think you can take any English word list, Google for '50000 English word list'.
    You might get better responses on

  10. Funny, I didn't consider the strength to be dat close. But it's even worse, they are exactly the same! Both have 2.2107392e+23 possible pass phrases, or 77.5
    bits of entropy (if I am not mistaken).
    So 6 words might be easier then 5 words from a bigger list.

  11. Sending faxes has never been as easy as it is now. brings you quality solutions and helps you use internet faxing to send faxes from right where you are. No hassle of fax machines needed anymore!

    fax over ip

  12. Whether it is for residential or business reason, it is ideal to employ the Security administrations London to get an abnormal state of assurance. The 24X7 insurance from their side makes life more serene and charming as you can wander about anyplace, at whatever time with no dread or dissatisfaction.