-
-
Notifications
You must be signed in to change notification settings - Fork 50
/
index.html
460 lines (323 loc) · 19.4 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<title>Diceware: Create Secure Passwords You Can Actually Remember!</title>
<!-- Bootstrap -->
<link href="./dist/bootstrap.min.css" rel="stylesheet">
<link href="./assets/css/starter-template.css" rel="stylesheet">
<!-- Our different dice faces. -->
<link href="./assets/css/dice.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
<meta property="og:title" content="Diceware: Generate Secure Passwords You Can Actually Remember!" />
<meta property="og:description" content="Diceware is a password generator which creates passwords based on dicerolls keyed to a set of words." />
<meta property="og:url" content="https://diceware.dmuth.org/" />
<meta property="og:image" content="https://diceware.dmuth.org/assets/img/dice.jpg" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:site" content="@dmuth" />
<meta name="twitter:url" content="https://diceware.dmuth.org/" />
<meta name="twitter:title" content="Diceware: Generate Secure Passwords You Can Actually Remember!" />
<meta name="twitter:description" content="Diceware is a password generator which creates passwords based on dicerolls keyed to a set of words." />
<meta name="twitter:image" content="https://diceware.dmuth.org/assets/img/dice.jpg" />
</head>
<body>
<div class="container">
<div class="starter-template">
<h1>Diceware Password Generator</h1>
<p class="lead">
Generate high-entropy passwords the easy way!
</p>
<!-- This row is completely hidden, but is used to hold elements
that get cloned after a dice roll. -->
<div class="row source" style="display: none; ">
<div class="col-md-12" style="height: 0px; ">
<div class="die dice1 dice_element" style="float: left; ">
<div class="dot center"></div>
</div>
<div class="die dice2 dice_element" style="float: left; ">
<div class="dot dtop dleft"></div>
<div class="dot dbottom dright"></div>
</div>
<div class="die dice3 dice_element" style="float: left; ">
<div class="dot dtop dleft"></div>
<div class="dot center"></div>
<div class="dot dbottom dright"></div>
</div>
<div class="die dice4 dice_element" style="float: left; ">
<div class="dot dtop dleft"></div>
<div class="dot dtop dright"></div>
<div class="dot dbottom dleft"></div>
<div class="dot dbottom dright"></div>
</div>
<div class="die dice5 dice_element" style="float: left; ">
<div class="dot dtop dleft"></div>
<div class="dot dtop dright"></div>
<div class="dot center"></div>
<div class="dot dbottom dleft"></div>
<div class="dot dbottom dright"></div>
</div>
<div class="die dice6 dice_element" style="float: left; ">
<div class="dot dtop dleft"></div>
<div class="dot dtop dright"></div>
<div class="dot center dleft"></div>
<div class="dot center dright"></div>
<div class="dot dbottom dleft"></div>
<div class="dot dbottom dright"></div>
</div>
<div class="dice_word dice_element" style="float: left; padding-left: 20px; padding-top: 25px; ">
</div>
<div id="results-num-dice" data-test-num-dice="" >0</div>
<div class="results_words_key" >Your words are: </div>
<div class="results_words_value" data-test="results-words" ></div>
<div class="results_phrase_key" >Your passphrase is: </div>
<div class="results_phrase_value" data-test="results-phrase" ></div>
<div class="results_num_possible_key" ># of possible passwords: </div>
<div class="results_num_possible_value" ></div>
</div>
<div class="alert alert-danger bad_crypto" role="alert">
<span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span>
<span class="sr-only">Error:</span>
Whoa there! Your browser doesn't have the getRandomValues() function.
This means that dice rolls you make <em>will not be cryptogrpahically secure!</em><br/>
Please try another browser. Otherwise, proceed at your own risk.
</div>
</div> <!--/ row -->
<div class="row">
<noscript>
<div class="col-md-4" ></div>
<div class="col-md-4" >
<div class="alert alert-danger" role="alert">
<b>You must enable Javascript to use this app.</b>
</div>
</div>
</noscript>
</div><!-- /row -->
<div class="row">
<div class="col-md-12">
<div class="message" ></div>
<h2 class="dice_num">
Number of Dice Rolls:
</h2>
<div class="btn-group-lg" role="group" aria-label="...">
<button id="button-dice-2" type="button" class="btn btn-default dice_button" data-test="button-2">2</button>
<button id="button-dice-3" type="button" class="btn btn-default dice_button" data-test="button-3">3</button>
<button id="button-dice-4" type="button" class="btn btn-default dice_button active" data-test="button-4">4</button>
<button id="button-dice-5" type="button" class="btn btn-default dice_button" data-test="button-5">5</button>
<button id="button-dice-6" type="button" class="btn btn-default dice_button" data-test="button-6">6</button>
<button id="button-dice-7" type="button" class="btn btn-default dice_button" data-test="button-7">7</button>
<button id="button-dice-8" type="button" class="btn btn-default dice_button" data-test="button-8">8</button>
</div>
<br/>
<a name="roll_dice_button" ></a>
<button type="button" class="btn btn-default btn-lg btn-primary" id="roll_dice" data-test="button" disabled=true>
<span id="roll_dice_icon" class="glyphicon glyphicon-play" aria-hidden="true" ></span> <span id="roll_dice_text">Loading...</span>
</button>
</div><!-- /col-md-12 -->
</div><!-- /row -->
<p/>
<div class="row">
<div class="col-md-12" >
<div class="results">
</div>
</div>
</div><!-- /row -->
<div class="row" style="text-align: left;">
<div class="col-md-1"></div>
<div class="col-md-10 main">
<h2>About Diceware</h2>
Weak passwords are a big flaw in computer security due to a lack of "entropy"
or randomness. For example, how many times have you used the name of a pet or relative or street
in a password, or perhaps the number "1"? Not very random, is it? 😃
Worse still, if
passwords are reused between services, <a href="http://www.businessinsider.com/biggest-password-mistake-2014-8"
>that increases your security risk</a>. This is not theoretical, <a href="http://www.techspot.com/news/65255-hackers-access-github-accounts-reusing-passwords-previous-leaks.html"
>this has already happened.</a>
</p>
Fact is, humans are terrible at remembering random combinations of letters and
numbers, but we are great at remembering phrases of words. That's where Diceware comes in.
</p>
This Diceware web app is based on <a href="http://world.std.com/~reinhold/diceware.html">the original proposal</a>
wherein virtual dice are rolled 5 times, and the 5 digit number used against a lookup table of words.
4 dice rolls gives you 4 random words which are easy for a human being to remember, yet have
a high amount of entropy which makes them hard to crack.
</p>
For more information on Diceware:
<ul>
<li><a href="http://world.std.com/~reinhold/diceware.html">The Diceware Passphrase FAQ</a></li>
<li><a href="http://world.std.com/~reinhold/diceware.wordlist.asc">Original Diceware word list</a> (This implementation uses <a href="#wordlist">a different wordlist...</a>)</li>
<li><a href="http://world.std.com/~reinhold/diceware.txt">Diceware for Passphrase Generation and Other Cryptographic Applications</a></li>
</ul>
For more information on the entropy in passphrases, I'd like to refer you
<a href="https://xkcd.com/936/">to this XKCD comic</a>:
</p>
<a href="./assets/img/xkcd-password-strength.png"><img src="./assets/img/xkcd-password-strength.png" class="responsive" /></a>
</p>
Diceware is a trademark of Arnold Reinhold.
</p>
<h2>Frequently Asked Questions</h2>
<h3>FAQ: Why not use 1Password or BitKeeper or something similar?</h3>
By all means, feel free to do so. <a href="https://1password.com/">1Password</a> is an excellent product and I highly recommend it.
That said, there's no reason that Diceware cannot be used concurrently with a password manager.
But I <em>also</em> happen to like passwords I can remember. :-)
</p>
If you want the absolute highest levels of password security, consider using <a href="https://strongboxsafe.com/">Strongbox</a>. One neat thing about Strongbox is that it comes with a built-in Diceware client!</p>
If you prefer insults in your passphrases, check out the <a href="https://cheswick.com/insults">Insult Passphrase Generator</a> by Ron Hardin. Each passphrase has ~42 bits of randomness.</p>
<h3>FAQ: What are some good use cases for Diceware?</h3>
<ul>
<li>Smart TVs: Diceware is a great fit for password entry on Smart TVs, or any other environment where typing non-alphanumerics is a challenge.</li>
<li>Work/Shared Computer: Let's say you're using a computer that you do not own, and want to log into a personal account. You may not want to install 1Password on that machine, so if you've generated that account's password with Diceware, it will be much easier to type in on the keyboard. </li>
</ul>
<h3>FAQ: What are some BAD use cases for Diceware?</h3>
You should not use Diceware in any cases where it is highly likely an attacker can get a copy
of your encrypted password and use high-volume cracking attempts against it.
A bad case--possibly the worst case--for using Diceware would be to secure your BitCoin wallet,
because all BitCoin nodes have a copy of the BitCoin Ledger, and an attacker
<a href="https://umanovskis.se/blog/post/leaky-faucet/">could attempt password cracking your wallet</a>.
</p>
Better still, <a href="https://time.com/nextadvisor/investing/cryptocurrency/should-you-use-crypto-like-cash/">don't use BitCoin</a>.
(Seriously, <a href="https://web3isgoinggreat.com/">avoid crypto and NFTs</a>.)
</p>
<h3>FAQ: Should I add numbers or an exclamation point to my password?</h3>
No, don't do that. The short answer is that length makes your password more secure than special characters do. But don't take it from me, <a href="https://www.engadget.com/2017-08-08-nist-new-password-guidelines.html">take it from the man who put us through password hell</a> and regrets every minute of it.
</p>
<p>
The NIST has since released new password creation guidelines in a document which is rather lengthly, <a href="https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/">but summarized nicely here</a>.
</p>
<h3>FAQ: Will this protect me from phishing attacks?</h3>
<p>
Nope, even the best password in the world won't protect you if it is phished. However, having a password unique to that service will help mitigate the harm. <a href="https://en.wikipedia.org/wiki/Multi-factor_authentication">Two Factor Authentication</a> will also help you.
</p>
<h3>FAQ: Can I share this app?</h3>
<p>
Sure! Here's a handy QR Code that your friends can scan:
</p>
<p>
<a href="./assets/img/qrcode.png"><img src="./assets/img/qrcode.png" class="responsive-qrcode" /></a>
</p>
<p>
Yes, I created that <a href="https://httpbin.dmuth.org/qrcode/">with my own QR Code Generator</a>.
In the tech industry, we call this <a href="https://en.wikipedia.org/wiki/Eating_your_own_dog_food">dogfooding</a>. :-)
</p>
<h3>"I can't believe you're sending passwords over the Internet!"</h3>
<a href="assets/img/dude-chill-just-chill.gif">Chill</a>. I'm not. Passwords are generated within your browser and do not leave it (unless you copy them out yourself).
<h3>FAQ: Are these dice rolls cryptographically secure?</h3>
Yes, insofar as we're using the
<a href="https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues">getRandomValues() function in Javascript</a>,
and you trust that your
browser and computer have not been compromised or otherwise tampered with. Keep in mind that a not-so-theoretical attack would be for an attacker to compromise the random number generator on your computer so that
anything that is encrypted (or passkeys generated) would be suspectible to less intense cryptoanalysis.
<h3>FAQ: How secure is the Diceware approach?</h3>
If you want the absolute worst password security, go right ahead and use the same password everywhere so that when one service is cracked, an attacker can compromise every account you own. (Plz don't do that)</p>
If you want the absolute best security, choose a different password of completely random charcters for each service.</p>
If you want a middle of the road approach that offers medium security, Diceware is the way to go. I wrote it for people like <a href="https://www.flickr.com/photos/dmuth/48499048131/in/photosof-dmuth/">my parents</a>, who might struggle with a password manager or not want to enter random characters when trying to enter their Apple password into their Apple TV, or want a password to log into their Mac that they can actually remember and not have to write down.</p>
This article is a bit dated, but the entropy (randomness) with Diceware passwords <a href="https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/">is substantial and can present a challenge to the NSA</a>.
<h3>FAQ: Is the source available?</h3>
Yep! You can grab a copy at <a href="https://github.com/dmuth/diceware">https://github.com/dmuth/diceware</a>
</p>
In fact, if you are nervous about generating a password on a website (even though the password is actually
generated by Javascript in your browser), I would encourage you to download the source and run it locally.
</p>
If you do want to run Diceware locally, just download the source and run a webserver in Python with
this command: <tt style="background-color: #dddddd; ">python -m SimpleHTTPServer 8000</tt>. You will then able to access DiceWare at
<a href="http://localhost:8000/">http://localhost:8000/</a>.
<a name="debug"></a>
<h3>FAQ: Is there a way to roll the dice automatically?</h3>
Yes, there is. Append "?debug=n" to the URL to automatically roll the dice N times.
<p/>
<p/>
Examples: <a href="?debug=4">Roll the Dice 4 times.</a>
<a href="?debug=5">Or 5 times.</a>
<a href="?debug=6">Or even 6 times!</a>
<p/>
<a name="skip_animation"></a>
<h3>FAQ: Is there a way to skip the dice animation?</h3>
Yeah. Append "?skip_animation" to the URL to not display the dice animation
<p/>
<p/>
Examples: <a href="?debug=4&skip_animation">4 dice rolls with no animation</a>
<p/>
<a name="wordlist"></a>
<h3>FAQ: Can you tell me more about the list of words?</h3>
<p>
For rolls of 5 dice, I am now using <a href="https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases"
>the worldlist from the EFF</a>. <a href="https://github.com/dmuth/diceware/issues/30">Substantial enhancements</a> have been made over the original list designed to improve usability without compromising security.
</p>
<p>
I started off using <a href="http://world.std.com/~reinhold/diceware.wordlist.asc">the original wordlist</a>,
but it contained a lot of symbols, punctuation, numbers, and 2 and 3 letter words that felt made
the passwords it generated <em>more</em> difficult to remember.
</p>
<h3>FAQ: How many dice are rolled per word?</h3>
<p>
The default is 5 dice, which allows for 7,776 different words per roll.
I used to have functionality for 6 and 7 dice per word, that involved longer wordlists
and the words became increasingly obscure. I decided to remove that functionality because
I felt it made the product harder to use and <em>less</em> accessible to the typical user.
</p>
<h3>FAQ: Is Air-gapped Operation Supported?</h3>
It is now! The entire project can be downloaded and executed on a machine that is not connected to the Internet.
I was able to pull this off due in part to uploading the code to an AWS S3 Bucket and then making that
content available via <a href="https://aws.amazon.com/cloudfront/">CloudFront</a>.
<h3>FAQ: How secure is the webserver this app is on?</h3>
I used to host this app on my personal webserver, but didn't like that doing so increased my webserver's
risk profile substantially. I've since moved the app into AWS--the HTML, Javascript, and CSS resides in an
S3 bucket, and the content is served up via <a href="https://aws.amazon.com/cloudfront/">CloudFront</a> with
an SSL certificate provided by <a href="https://aws.amazon.com/certificate-manager/">AWS Certificate Manager</a> for free.
The S3 bucket has <a href="https://aws.amazon.com/cloudtrail/">CloudTrail</a> enabled on it, so that I have
an audit trail of all actions performed on that bucket.
<h3>FAQ: Speaking of audit trails, are you keeping any logs of accesses to this website?</h3>
Hell no. I don't want to know who is using this app. More importantly, if logs are not kept, then it
means that an adversary won't know either.
<h3>FAQ: Will this work over Tor?</h3>
Yep, I tested it! Just make sure you go into the NoScript plugin and enable Javascript for this site.
<h3>FAQ: Why did you change the wordlist?</h3>
</p>
I am always considering what words I use in the wordlist. I may opt to use shorter words in the future.
<h2>Meta</h2>
<h3>Have you built anything else?</h3>
<p>
Yep! I've built a few things you may find interesting:
</p>
<ul>
<li><a href="https://httpbin.dmuth.org/">FastAPI Httpbin</a> - HTTP Endpoints for testing of your app</li>
<li><a href="https://httpbin.dmuth.org/qrcode/">Dead Simple QR Code Generator</a> - No ads. No signups. No spam. Just QR Codes when you want them.</li>
<li><a href="https://septastats.com/">SEPTA Stats</a> - Stats on Philadelphia Public Transit</li>
<li><a href="https://github.com/dmuth/splunk-lab">Splunk Lab</a> - Stand up a Splunk instance in 30 seconds</a>
<li><a href="https://github.com/dmuth/tarsplit">Tarsplit</a> - Split a tarball on file boundaries</li>
<li><a href="https://github.com/dmuth/docker-in-vagrant">Docker in Vagrant</a> - Replacement for Docker Desktop for the Mac.
<li>...or just <a href="https://github.com/dmuth">poke around my GitHub</a>!</li>
</ul>
<h3>Who built this? / Contact</h3>
My name is <a href="http://www.dmuth.org/">Douglas Muth</a>, and I am a software engineer in Philadelphia, PA.
</p>
There are several ways to get in touch with me:
<ul>
<li>Email to doug.muth AT gmail DOT com or dmuth AT dmuth DOT org</li>
<li><a href="http://www.facebook.com/dmuth">Facebook</a> and <a href="http://twitter.com/dmuth">Twitter</a></li>
<li><a href="http://www.linkedin.com/in/dmuth">LinkedIn</a></li>
<li><a href="https://github.com/dmuth/diceware/issues">Opening an Issue in GitHub</a>
</ul>
Feel free to reach out to me if you have any comments, suggestions, bug reports, or wish to buy me a beer. 😃🍻
<br/>
<br/>
<br/>
<br/>
</div>
</div>
</div><!-- /starter-template -->
</div><!-- /.container -->
<!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
<script src="./dist/jquery.min.js"></script>
<!-- Include all compiled plugins (below), or include individual files as needed -->
<script src="./dist/bootstrap.min.js"></script>
<script src="./dist/bundle.js"></script>
</body>
</html>