3

This is partly an exercise to see if I understand passphrase generation from a given dictionary using the DiceWare technique. But also for possible personal usage.

All three-letter word lists I can find generally involve words allowed in Scrabble and almost all include 1014 words. I would reduce this list to 972.

If I now include all combinations of capitalization of these words in my dictionary (all lower, 1st upper, 2nd upper, 3rd upper, 1/2 upper, 1/3 upper, 2/3 upper, 1/2/3 upper), that would give me 972 x 8 = 7776 words. The right amount for a 5-dice DiceWare dictionary. I can now use 5 dice to generate a passphrase.

This would minimize typing, though I'd have to use the shift key a lot, which probably negates any gain.

I also wouldn't have to type spaces since there is no chance of a combo word of six letters being in my dictionary, right?

Even though the number of entries in my dictionary is 7776, the number of words is only 972. Does this give a cracker any advantage?

Improve this question
5
  • 2
    This would at least make the resulting passwords always the same length, which reduces key space for an attacker quite a bit. Additionally, the pro of diceware is to generate easy to memorize passwords - if you have variations in words with upper and lower case letters, that makes memorizing hard, so you are loosing the UX-benefit.
    – Tobi Nary
    Commented Sep 18, 2017 at 4:24
  • 1
    @SmokeDispenser It's true that knowing the password length reduces the keyspace, but I wouldn't say "quite a bit". If they know that it's 4 words, that means they don't have to try 1, 2, or 3 word passwords, so they've eliminated (7776^1+7776^2+7776^3)/(7776^1+7776^2+7776^3+7776^4) ~= 0.013%, about 1/7776th of the keyspace.
    – AndrolGenhald
    Commented Sep 18, 2017 at 14:24
  • @AndrolGenhald you're missing my point. Using regular diceware, the dictionary space is way bigger, with variable word lengths, the space is enormously big, whereas exactly 15 characters is quite small in comparison.
    – Tobi Nary
    Commented Sep 18, 2017 at 15:59
  • 2
    @SmokeDispenser, and you're missing the point of Diceware in general. In Diceware the character length is irrelevant and has no bearing whatsoever on the strength of the phrase. The entire strength is calculated from the number of words and the dictionary size.
    – Ben
    Commented Sep 18, 2017 at 16:04
  • … if the adversary knows about the method of password generation. For a black box, brute force attacker, the length is relevant. Yet given: 12 characters is quite long, too, in that szenario
    – Tobi Nary
    Commented Sep 18, 2017 at 16:21

1 Answer 1

Reset to default
2

It only gives the cracker an advantage if you get very very unlucky with your dice rolls and end up with a phrase consisting of one word repeated 5 times. In which case, just roll again.

As @SmokeDispenser points out in the comments however, doing this will remove one of the main benefits of Diceware, which is that Diceware does not require you to memorize weird tricks and transformations in addition to the words. So you're hurting yourself with this method to some extent. If it's easy enough for you to memorize still, then go for it, but I'd personally prefer typing a few extra characters over memorizing weird capitalization or character substitution schemes.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .