The Art of Password Cracking: A Look at Dice, a Unbiased Casino Dice Mechanism

In our previous videos on password cracking and choosing good passwords, we've received several requests from viewers asking about a specific mechanism called "Dice". As promised, today we're going to dive into this interesting system for choosing passwords. We'll examine its pros and cons, and explore how it compares to other methods.

To begin with, our Dice is a nice unbiased casino dice that I've just acquired for this occasion. It's not biased towards rolling a six, which would have significantly impacted my performance in games. This lack of bias is a crucial aspect of the Dice mechanism, as it ensures that each number has an equal chance of being rolled.

When discussing passwords last time, my hypothetical password mechanism was something like four random words with a bit of symbolic symbols added randomly in the middle of a word. I chose this scheme because I felt it offered a nice compromise between having to type something long and having something that's not too hard to remember. On the other hand, it should also be difficult enough for attackers to break.

Now, Dice is similar to this scheme, but it's more mathematically defined in terms of how hard it is to crack. This is why people find it appealing. When I use four random words appended together as my password, there are two significant concerns: (1) How random are these words truly? And (2) if an attacker wants to brute-force my password, will they be able to work out the list of all possible words I might have used?

To mitigate the first concern, I try and throw them off by using slightly odd words. However, for most people, it's unlikely that everyone in the country – or even the world – is using this same password scheme. This means that many users will pick easily guessable words like "back to the correct horse battery staple thing" (as Xkcd alluded to). While this isn't a foolproof solution, it does provide some level of protection.

The second concern relates to entropy or the number of possible words chosen by an individual. This is where the Dice mechanism truly shines. Because each word has been chosen randomly and independently, the total number of possibilities will differ from person to person. For example, if one of my words happens to be a database name, it's likely that I've picked it at random – either because it was genuinely random or simply by chance.

Ultimately, the Dice mechanism offers an intriguing approach to password creation. By using a combination of truly random words and symbolic symbols, users can create strong passwords while still being easy enough to remember for everyday use.

"WEBVTTKind: captionsLanguage: enWe've done a few videos on passwords cracking passwords choosing good passwordsand I've had had a few requests both by email, and you know Twitter and on in the comments about achoosing a password mechanism calledDice where so I thought we'd look at this and think what's the pros and cons of this of this quite interesting system for choosingPasswords so here's my nice unbiased casino dice that I got just for this occasionI was quite excited apparently this-this dice is not biased towards rolling a sixWhich actually would just mean my performance in games goes down.When we spoke about passwords last time my hypothetical password mechanism was something like four random words with a bit ofSymbolic symbols added in maybe randomly in the middle of a word nowI chose that because I felt it was a a nice compromise between having to type something in that's really, really long orAnd having something that's not too hard to rememberBut also quite hard to break. Now diceware is in some sense quite similar to this schemeBut it's perhaps more mathematically defined exactly how hard it is to break. Which is why people like it?Because I think the question comes down to in my scheme if I pick four random wordsHow random are Bo's worse truly if an attacker wanted to brute forth my password?Then and they know for example that I'm using four words appended togetherThen what they're going to want to do is try and work out the list of all the wordsI might have used. Now, I try and throw them off a bit by using slightly odd words, but I'm a bit weird butFor the majority people let's imagine that everyone in the countrywhere everyone in the world is using this password scheme lots of people are going to pick really easy words you know back to thecorrect horse battery staple thingXkcd alluded to this and we'll talk about that in a minute, but didn't necessarily answer every questionbut it did get a good message across the entropy or theNumber of possible words that you've chosen is gonna differ from person to person right if one of my wordsI pick is database is that because I've picked that right out at randomOr is it because it says \"databases\" on this book up here, and I accidentally saw it in the corner of my eyeDon't pan to the bit with no books on itYeah, I'm just looking at your collection of cubes-All solved!That's how I roll, so what dice where does the website was established in 1995 by a guy called Weinhold from the United StatesWhat it is is a way of using dice to ensure thatThe words you're picking are actually random rather than just what you think is random and that way we have a very nicely definedShould we say mathematical difficulty for group forcing that password?So this is the diceware list, but I guess it's a kind of compromise between the number of diceYou just have to roll incessantly to come up with passwords and being fairly quickbut there are7776Words on this which is all the different combinations of five dice rolls, right? NowSo that's why I've got my nice unbiased diceWe don't wanna be accidentally biasing me towards the end of this document for example so as an example we roll the diceIt's a five. Each of these has five numbers from one to six in front of the wordWhich tells you which words are going to pick. So these are the fours, I'm on to the five, saysThere's the start of the fives there, then roll the dice againIt's a six, so I'm now on to the five-sixes which is here and then againfive six fourfiveOne five six four five one is the wordtapirWhereas in the animal with the snout so that's the first word of my password so let me write that downThis could take a little while this is where you need to use all of your video editing skills tapir right. Let's do this againOkay1 3 2 1 3If you've done this a lot of times, maybe it'd be faster 1 3 2 1 3 there. We are back up nice5 1 3 3What is it 1 5 1 3 3 1How many times have you got to do this? Good question. \"Rand\", interesting. \"R-A-N-D\"Ah, South African currency? Yeah, and also short for random, which is what we're doing now5 2 4 6 2 RW interesting read/write, yeah, so not all of these are full wordsThat's one of the thing that's quite about this 36 having been in 2 3 exciting three six fourtwotwothree sixfour two twoThey're guaranteed to be unbiased I think but then I got them cheaply off the internet, so I don't actually knowOkay, so let's let's stop. Let's stop there. I've done. I've got five words right now. Is this pasta really goodWell the first thing to noticeBut what you don't want to do when you're picking a password is record it on video and show it on the internetSo I probably won't put this as my actual passwordBut there will be a few people that try nonetheless.We've rolled the dice five times per word, we find the word and then we put spaces in between it and that's our passphrase, right?So that is literally our password then for whatever purpose we want.Why is this better than what I was doing? W ell, it's different, mostly. There's a few questionswe've got, right? The first is \"But is this a reasonable password in terms of strength?\"Also, \"How practical is it to type in?\" right\" It took a little while to generateBut if you're doing it a couple of times for the front end of a password manager, maybe that's not such a big dealOne thing that's worth noting is that this isn't all the words in the English language. This is this is a carefully chosen7700 words, but a knife is short so most of the words are fewer than five charactersThere's a few really short ones the idea being that even if you've got a five word or six word passphraseIt's never going to get that long you should get quite quickly typing it inbut the real benefit of this system is that these are actually random as opposed to what I've perceived to be random becauseI thought of a word in my headWhich might have been a word that I happen to see on the side of a bus this morning in the previous videos we talkedabout brute forcing about not you knowing what any of the characters were and how we make it easier for the attacker by using aDictionary of known words yeah, so this is literally providing dictionary right yeahThat's the drawback in some sense and the strength so we know exactly what words could appear in my passphraseBut even so we still can't break it because I've used too many of them so in some password schemes likeOnes where I pick words at random from a dictionary in my own brainI'm working under the assumption, but that's secure because no else knows how it worksNo one can reverse-engineer that process. That might be true, it might not be true. It depends how well you know me.This, the process is extremely open everyone knows what the password list wasEveryone knows what my password is going to be likeBut they still can't break it because it's 2 to the 64 operationsWhich is too much what we don't want is security through obscurity right if I use it if I only use a 500 word dictionaryRight, that's fine as long as I keep that dictionary secret if I doesn't seem like a very good idea because then that dictionary mightAccidentally come out, and then it would be incredibly easy to break my passwordSo what is the strength of his password well each of these words has come from?7776 right so we can assume that the attacker knows, but I'm using this password scheme, so they know my password is five wordsseparated by spaces which adds nothing because they know what the spaces areout of a possible7776 so the strength of this password is actually 7 7 7 6To the 5 so another way of looking at it isn't how many bits of entropy?Does this password have but a lot of the time?That's how we view passwords each of these words is 12 point 9 bits so 12 point 9times by 5 words is64 point 5 bits which is pretty good actually that means that on average an attacker is going to have to doabout 2 - 63 - - just under 64 operations to guess your password in brute-forceThat's quite a lot of operations particularly givenThey're going to have to perform some hash to do this. The nice thing about this password scheme iswe know exactly how secure it is, right? As opposed to we're guessing thatthe words aren't just words I know and someone can social engineer those wordsand also if we want it to be more secure we can just add another wordOr another word as computational power goes upWe just add more words and we can probably remember a few wordsOr if they get really long write them down and put it in our wallet. Don't lose it. I'm guessing as wellYou could potentially vary the whole spaces thing right?Yeah, so the space - the spaces thing is not hugely important the reasonit's there is because sometimes you might accidentally join two words together and themActually be a different word on here in which case your search has gone down to four words, right? Ao if you're being carefulThat these are all actually different words, and they don't concatenate to make another wordYou don't need the spaces or you could use a different characterYou could also do what I did and use fewer words andPut a random character in, right? Now on the websiteHe has plenty of ways of loading dice and also choosing random characters because againwhen I pick a symbolIt's oftenYou know a star or an ampersand or an underscoreThose aren't all the characters that exist so it's a really interesting twist on picking passwordsThis came about you know a few years ago nowwhere maybe a fork out a four word password was reasonable now in some sense you can't imagine thatSeven or eight or nine word passwords are that feasible for the majority of users that there has to be some usabilityConsiderations, but on the other hand five's not too badOr as I say fourBut they make an unexpected alteration like an adding of a random symbol at a random position not between the words and that willSignificantly increase the amount of time it would take to break. You can get too carried away like with passive securityI have, and so half the time I can't login because I get my password wrong and so I've been - butThe thing you also you have to remember is thatThis is way beyond a normalBrute-force attack by someone who's just happens to have found your password hash on pastebin, right?This is when we when we're talking about five or six word passwords where we're talking about nation state levelAnd you've got to really wonder whether they really care about your individual passwordYou might still want to secure it against them anyway. That's that's for you to decide butThey may just visit you insteadWe'll put a link to the website in the description as wellSo you can have a look through. He's considered almost every possible angle for this so when do you add symbolsHow many words is enough for the level of security you want? It's a really good interestingLook into password securitySo I recommend you have a look\n"