A friend who works for a very security conscious organization surprised me when he asked why I had a plastic cup on my desk containing half a dozen dice cubes. Everybody knows why you keep dice at your desk, don’t they?
Passwords used to be the cornerstone of data security. It doesn’t matter if you are signing onto the company LAN, starting your laptop, or receiving email, passwords were required to keep out the thieves and brigands. Well today passwords are obsolete! Today you need a passphrase!
One must think of passwords and passphrases as a series of locked doors, each more robust. For example, the log-on password required by most operating systems. These passwords are usually limited to about fourteen characters.
A poorly chosen password is like a flimsy door with a simple latch set to a burglar. Because passwords are so vulnerable we must turn to more robust methods of protecting critical data. This usually means some form of encryption.
Encryption systems depend upon some type of key to encrypt and decrypt the data. If you have the key you have the data. Encryption systems like PGP encode the private key and require at long passphrase to make the key usable. It is important to secure the key with a strong passphrase because the key exists as a file that could be copied and used by your worst enemy.
If you take a list of the employees at any company then look at the logon passwords you will find at least one matching an employee’s name. The user’s favorite quotation from The Catcher in the Rye is probably a bad choice for a passphrase as hackers collect lists of favorite passphrases.
The best method of choosing passphrases entails a simple prescribed method that produces a memorable passphrase. Without going into the mathematical details, a secure passphrase consists of five words. This is where we use the dice.
While a password is typically 10 to 14 characters long a passphrase is typically about twice that length. Unfortunately, people have a hard time remembering a long jumble of characters.
The Diceware solution involves picking a passphrase using ordinary dice to select words from a word list at random. A five digit number preceeds each word in the list. Each digit is from one to six. If you roll five dice cubes and arrange the cubes to form a row, then you have the number that corresponds to a word in the list. Some lists contain about 8000 words, abbreviations and easy to remember character strings.
If the resulting passphrase consists of 14 or fewer characters and spaces you should start over. Start again when the resulting passphrase is a recognizable sentence.
The advantages to this method of choosing passphrases is:
• Easy to learn and use
• Extremely secure
• Totally prescriptive
• Transparent — you don’t have to “trust” anybody
• Free – no software or hardware required
For more information on the Diceware solution visit: http://world.std.com/~reinhold/diceware.html.
0 Responses to “Information Security is a Roll of the Dice Away”