- 1 Introduction
- 2 Generating Unbreakable Passwords
- 3 Principles for Stronger Passwords
- 4 Forum Discussion
- 5 See Also
- 6 Footnotes
|Warning: Advanced adversaries with modern technology are estimated to conduct brute-force attacks at more than a trillion attempts per second.  |
If weak passwords (passphrases) are used, they can be easily determined by brute-force attacks, whether or not Whonix is installed. In essence, attackers systematically try all passwords until the correct one is found, or attempt to guess the key which is created from the password using a key derivation function (an exhaustive key search). This method is very fast for short and/or non-random passwords.
Generating Unbreakable Passwords
To generate passwords which cannot be brute-forced over millions or even billions of years, users should default to lengthy diceware passwords based on information in the next section.  Note this entry assumes that quantum computers do not already exist which have broken or impacted common cryptographic algorithms, such as halving the key size of symmetric keys. Wikipedia explains how diceware operates: 
Diceware is a method for creating passphrases, passwords, and other cryptographic variables using ordinary dice as a hardware random number generator. For each word in the passphrase, five rolls of the dice are required. The numbers from 1 to 6 that come up in the rolls are assembled as a five-digit number, e.g. 43146. That number is then used to look up a word in a word list. In the English list 43146 corresponds to munch. By generating several words in sequence, a lengthy passphrase can be constructed.
A Diceware word list is any list of 6^5 = 7,776 ... unique words, preferably ones the user will find easy to spell and to remember... The level of unpredictability of a Diceware passphrase can be easily calculated: each word adds 12.9 bits of entropy to the passphrase... This level of unpredictability assumes that a potential attacker knows that Diceware has been used to generate the passphrase, knows the particular word list used, and knows exactly how many words make up the passphrase. If the attacker has less information, the entropy can be greater than 12.9 bits per word.
A suitable diceware word list can be found here. It is available in a long list version for those using 5 dice, or in a short list version if using only 4 dice. Note that only using 4 dice and shorter word lists reduces the entropy to 10.3 bits per word, so a longer password must be generated to be safe. 
Diceware Password Strength
Entropy is a measure of the uncertainty or randomness of a system. The concept is a difficult one to grasp fully and is confusing, even to experts. Strictly speaking, any given passphrase has an entropy of zero because it is already chosen. It is the method you use to randomly select your passphrase that has entropy. Entropy tells how hard it will be to guess the passphrase itself even if an attacker knows the method you used to select your passphrase. A passphrase is more secure if it is selected using a method that has more entropy.
Entropy is measured in bits. The outcome of a single coin toss -- "heads or tails" -- has one bit of entropy.
Table: Diceware Password Strength 
|Word Total||Bits of Entropy||Estimated Brute-force Time (Classical Computing) ||Future-proof Safety ||Post-quantum Secure |
|Eight||~103||~15 x age Universe||Yes||No|
|Nine||~116||~119,441 x age Universe||Yes||No|
|Ten||~129||~928,773,415 x age Universe||Yes||No|
|Fifteen||~194||~26,405,295,715,806,668,059,525,829,264 x age Universe||Yes||Yes|
|Twenty||~259||~750,710,162,715,852,378,145,230,792,130,183,941,981,164,925,924 x age Universe||Yes||Yes|
Classical Computing Attack
- Diceware passphrases of 7 to 8 words in length are likely to be sufficient for several decades or more.
- Generally speaking, lower entropy is reasonable to prevent online attacks due to limits on incorrect username/password combinations.
- For important cryptographic keys or valuable encrypted external media, users are recommended to generate diceware passphrases of 10 words of more, since this removes the feasibility of brute-forcing predicated on a rapid improvement in classic technology. 
Quantum Computing Attack
- For symmetric keys,  diceware passphrases of 15 words or more are likely to be sufficient for the foreseeable future. However, it is recommended to use a 20-word passphrase to completely rule out the possibility of brute-forcing.
- It is possible to attain comparable entropy without creating longer passphrases, but this necessitates a larger diceware list than is outlined in this entry. 
- All traffic relying on asymmetric public-key cryptography will be broken, such as browsing and email using SSL/TLS, PGP-encrypted email, and all Tor network activity (at least until quantum-resistant ciphers are introduced). 
- Longer term defense requires the widespread adoption of post-quantum cryptographic algorithms.
Password Generation Method
Generating truly random passwords in a secure manner is surprisingly difficult. Experts in the field note it is preferable to rely on physical measures of randomness when creating diceware passwords: 
Generating truly random numbers using a computer is very tricky. The so-called random number generators that come with most programming libraries are nowhere near good enough. For most users dice is by far a better way to select passphrase words.
In light of this advice, common password generation methods can be classified for safety:
- Safest: Physical measures of randomness only, such as dice, coins or similar methods.
- Safe: A combination password using both physical measures and reputable software.
- Potentially Unsafe: Software used in isolation introduces unknown variables. The software or libraries may be flawed, or the VM used for password generation may already be infected. 
As dice are commonly used, it is important to note they must be correctly weighted to guarantee that words are chosen at random. If possible source translucent casino dice from a reputable manufacturer, since traditional gaming sets typically have poor-quality dice, which introduces statistical bias.  
Advanced users can install the diceware package from Debian testing in order to create diceware passwords from the command line.
To generate a 10 word password, run.
diceware -n 10
Follow this additional advice for diceware passwords: 
- Diceware passwords should have spaces between each word, otherwise the strength of the password is materially weakened. For example, a six-word passphrase without spaces “stray clam my aloof micro judo” has the same strength as a five-word passphrase “stray clammy aloof micro judo” with spaces.
- Only change passwords if a compromise is suspected.
- Random character capitalization is not recommended. Although it adds 1 bit per character, it requires regular pressing of the shift key - slowing down typing and increasing the number of keystrokes. Instead, it is better to just make the passphrase longer if additional entropy is required.
- If users do not have access to dice, a conversion table and three different coins can be used to generate an equivalent "dice roll". 
Principles for Stronger Passwords
Users should read Wikipedia: Weak Passwords to learn about better practices for generating strong passwords, and to determine if current passwords are weak. (w). The general principles for stronger passwords are outlined below. 
Content and Length
- Avoid Dictionary-based Passwords: It is unsafe to use passwords that are dependent on dictionary words, keyboard patterns, special letter or number sequences, usernames, phrases from anything read or seen, relative or pet names, biographical information, or persons known to the user.
- Avoid Short Passwords: Passwords should not be less than 12-14 characters in length; longer passwords are exponentially more difficult to crack than shorter ones. 
- Generate True Password Randomness: Random passwords require the use of specialized tools like diceware. The human brain is poor at creating passwords which are both easy to memorize and also secure.
- Online Services vs FDE: Passwords used for online services do not need to be extremely long, since the server rate-limits how many passwords an attacker can attempt. However, passwords used for offline encryption such as full disk encryption should be far stronger, since the threat model is different. An attacker can parallelize brute-forcing the password and is only limited by available system resources. Edward Snowden estimated in 2013 that serious adversaries are capable of one trillion guesses per second. 
- Password Variety: If the user is not relying on diceware passwords, then include upper and lower case characters, special characters, digits, spaces, underscores and brackets.
- Avoid Personal Information: Any information that might be publicly linked to the user or the user's account, or which is known by friends or acquaintances, should never be used for passwords.
- Avoid SMS-based Two-factor Authentication: Contrary to conventional wisdom, SMS-based 2FA gives away a user's identity, and also makes it easier for third parties to break into an account; for example, by performing sim-cloning or conducting social engineering attacks on the cellular provider. 
- Do not Re-use Passwords: Even slight variations of a password allows the linking of multiple identities back to an individual. Attackers can use these discoveries to make templates which do not completely rely on brute-force attacks.
- Never Use Online Password Generators: These tools are only useful for satisfying curiosity or additional learning, since it is possible for the server to log the passwords. The only place where passwords should be generated is locally, and ideally by using physical measures (like dice) or via software in a VM disconnected from the Internet.
- Password Managers: Consider using a secure password manager, so hundreds of different passwords can be kept stored in an encrypted password database. Access only requires one master password, which should be cryptographically strong to protect the contents.
- Physical Records: If passwords are written down, they should be stored securely and not be left in obvious places.
- The list has also been improved so the words are easier to memorize, and vulgar, profane, insulting or emotionally-charged words have been removed.
- One trillion guesses per second.
- Safe until at least the year 2050.
- Assuming Grover's algorithm halves the number of iterations required to brute-force a key. This means doubling the length of symmetric keys to protect against future (hypothetical) quantum attacks.
- As is the case for full disk encryption.
- Community wiki contributions outlining this technique are welcome.
- Admittedly infection is a low probability scenario, particularly if a fresh VM was created solely for this purpose.
- Board dice typically favor rolls of 4, 5, and 6 because excess material has been drilled from those sides and they have not been properly counterbalanced. Crooked dice also have asymmetrical edges, uneven weight, non-parallel sides, or vary in smoothness.
- The consequence is that selecting a word from the diceware list takes 13 coin tosses, instead of 5 dice rolls.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.