As I already wrote elsewhere, I'm using separate users, email addresses and passwords for any account I create somewhere. For the passwords I use diceware passwords, which are the most secure ones. Until now I "generated" them myself without really using dices or some kind of dictionary. A somewhat boring process, so I decided to do something about it and wrote a little tool for this: dicepwgen.
It's written in C, licensed under the GPL version 3 and doesn't have any special dependencies, that is, it shall compile on almost any unix platform. The tool uses a dictionary file (there's a built-in default location, but it can be changed via the -f flag). It does a couple of "tricks" to fullfill the diceware process: since a dictionary file has way more entries than reachable via five dices (in fact, a diceware word list contains only 7776 entries), it jumps over a random number of lines when reading in the dictionary file. It indexes each entry with a "dicey" number, that is, a number consiting of 1,2,3,4,5,6.
Then there are two operational modes: in the default mode it generates a couple of dice rolls (by default 4, which can be changed as well), looks up the matching words from the list and prints them. In interactive mode, which can be enabled by setting the -t switch, it asks the user to enter the dice rolls. In that mode the user has to roll physical dices and enter whatever shows up. Passwords generated this way are truly random.
It should be noted that dicepwgen only uses words consiting of plain ASCII characters (a-zA-Z) and ignores all others. So, passwords generated with dicepwgen do not contain UTF8 or latin1 characters or whatever encoding the dictionary file may use. This behavior is intentional, since it is not wise to use UTF8 or other non-ASCII characters for passwords anyway. It also ignores words which are too short or too long, however these parameters can be tweaked (with -l or -m).
Usage example (default mode, the tool "rolls" the dices):
% dicepwgen granting frightens parrakeet flukes
And here is how it looks if the user rolls the dices:
% dicepwgen -t dice roll 1 - enter 5 digits, each between 1-6: 34112 dice roll 2 - enter 5 digits, each between 1-6: 62155 dice roll 3 - enter 5 digits, each between 1-6: 33431 dice roll 4 - enter 5 digits, each between 1-6: 16261 Gonzalo armrest Capistrano eaters
Ok, not much to see :) But good tools are simple to use, aren't they?
I added a new flag
-y which causes whitespaces to be replaced with dashes and adds
%8 to the end of the generated passphrase.
Often I stumble upon sites with so called “password policies” and in many cases it’s not possible to use unaltered diceware passphrases on such sites. Either they do not support whitespaces or they require numbers and non-letter characters to be present.
So, this is what
-y does: satisfy those sites with their horrible policies while still being able to use a diceware passphrase. This is possible because it doesn’t matter if the dice words are separated with a dash, a whitespace or even nothing. Entropy is the same. That
-y adds a constant
%8 to the end, doesn’t matter either: the security lies in the dice words.