Hash and Roll Your Way To Secure Passwords

In the electronic battlefield that is 2019, the realm of password security is fraught with dangers. Websites from companies big and small leak like sieves, storing user data in completely unsecure ways. Just about the worst thing you can do is use the same password across several services, meaning that an attack on one gives entry to multiple accounts. The challenge is to generate a unique and secure password for each and every application, and [Ilia]’s way of doing that is called HashDice.

No, it’s not a password manager, or an app – it’s a simple method that can be readily applied by anyone with the right tools. A simple dice is used to create random numbers, which are used to select words from a list to form the basic secret phrase. This is then combined with the name of the service or application to be accessed, the date, and a salt, before hashing using the SHA256 algorithm. The final hash is then truncated to create the password. You can do it all on a device that’s airgapped from the world, ensuring your core secret is never exposed, thus maintaining security.

There are some pitfalls to this method, of course. Many websites make things harder by requiring special characters or enforcing length limits on passwords. [Ilia] helpfully suggests several workarounds for this, but admits that no system is perfect in the face of these obstacles.

If you’re now wondering if your current password is safe, there are ways to investigate that, too.


17 thoughts on “Hash and Roll Your Way To Secure Passwords

  1. Hmmm sure it gives you a different password for every service, but you need to then remember the name of the service and how you set it up. For example, my PSN account – did I set it up via playstation.com, sony.com, playstationnetwork.com, or any other of the numerous other sites you may of done it by?

    If the answer to that problem is ‘use a password manager then’ – well, then you might as well use the random password generation they offer (as long as it is random) and then you’ve removed any possiblity of anyone ever reverse engineering your password from one service, into another

    In essence, keep it simple.

    1. My reply got filtered by this is dreadful given most services name are about 8 chars long this offers about 13 bits of entropy.

      that’s a joke when you factor in how inconvenient it is.

  2. Very similar to diceware – a random password technology (from 1995) that doesn’t even require a computer. I use it to generate password manager master passwords or ones we need to circulate at work.

  3. It is beyond me how this is in any way superior to KeePass, LastPass or the Mooltipass? In fact the link suggests this isn’t useful for passwords you need often. You know like your google account password (keys to most peoples castle).

    Using this method I would conceivably end up with:

    “A&” + SHA256(“twitter 2019 monkey”)

    “A&” + SHA256(“facebook 2019 monkey”)

    “A&” + SHA256(“gbatemp 2019 monkey”)

    So password entropy is in fact about 13 bits???

    This boils down to “my dumb, inconvenient, security through obscurity way” to make passwords that outwardly look random.

    All to avoid using a blooming password manager!

  4. Funny, I was just wondering last night (after being confronted by a website requiring special characters but not counting ‘.’ as special shortly after encountering another website that required special characters but entirely prohibiting ‘”$#%\ (anything that would need escaping for SQL or PHP it looked like)) and found myself wishing there was a uniform standard for password requirements so that an algorithm like this could be used without any gruesome workarounds.

    I get the sense that sites tweak their password requirements to force users to use a unique password _there_ even if they use a common password elsewhere. In reality I can only remember about three passwords with any reliability so when confronted with things that force me to make an account to download something or whatever I just make a throwaway account, get the thing, and forget about it. For things where I may one day wish to return (or have to for some stupid reason) I just use the “forgot password” link.

    There is a category of site which, when its security procedures become excessively burdensome (required additional security questions or links to a real address or phone number or any other personally identifying information or means of contact, or the need to interact with a human), is just no longer worth visiting at all. The question here is “why have an account mechanism at all?”. In many cases the creation of accounts is not beneficial to the user and works only as a way to link information gathered there with an existing ad network identity to increase its value for targeted advertising (one could argue that this benefits the user indirectly by funding the site, but I’d rather pay up front and openly than be surreptitiously milked for monetizable information).

      1. any password is about as secure as a 5 dollar wrench, or some really good drugs (or alcohol) and time. Getting peoples numbers at bars/raves is so 2012, now i go for the passwords.

  5. When the agency I work for required special characters and numbers and increased the minimum length of passwords to 12 from 8, I did a face palm. Almost everybody writes them down now even though it is against policy. The users get training every year about the policy, but still get locked out and say, “I know my password is right because I wrote it down {face palm}.” It is a BIG step backward in security. Most people will NOT put the effort into remembering a “good” password.

    1. I totally agree with you. This is where passphrases come in handy. It is easy to naturally mix in upper, lower, numbers and a few special chars and something you will actually remember. It annoys the hell out of me when a place requires a complex grouping but only allows you like 12 of them for the actual password.

  6. Ah. Some weeks ago, I’ve talked about using such a similar system with someone over IRC, except considerably worse in that I was actually using SHA-*1*. That’s obviously something I’ll want to switch away from, and the person I was talking to also made the point stated above that it’s in many ways less secure than a password manager. The main thing is that I thought hashes were somehow less vulnerable to certain classes of attack where an attacker has both the encrypted and unencrypted versions of at least one password, but I’ve since been told that it’s actually easier to derive the password from a collection of hashes and secrets. Also, it seems that relying on potential collisions with other passwords, which is the mechanism I was thinking would thwart the above attack, is itself actually a huge liability.

    So yeah, this isn’t a system I think I would recommend now, and one I plan to phase out in my own use. Apologies to anyone who has ever spread my bad ideas and/or taken the blame for them, I’m sure there’s more where that one came from. Anyway, before using this system, I was making my passwords directly with Diceware, which produces passwords generally in line with the XKCD comic recommendation. That’s something I’ll want to go back to for at least more crucial passwords.

    On that note: Something I’ve been doing to help remember Diceware/XKCD style passwords is to make them six words long, then remember them as both a sequence of three word pairs and as a sequence of two word triplets. The trick here is, it’s easier to remember those small chunks than an entire password, and by having them overlap this way, the end of each chunk is the start of another, which helps jog my memory of the rest of that chunk, giving me the start of the next. Seeing how well this works for longer passwords is something I should have been trying out over a year ago. If that works out, maybe it’s what I’ll use for getting into Keypass.

  7. I have tried and tried and tried to get my family, friends, and clients to:
    1) Use unique passwords
    2) Use a password manager
    I have explained to them repeatedly why this is so important and the consequences of not doing it.
    At absolute *BEST*, they will keep their passwords in a plain, un-encrypted notes file where anyone who gains access to their computer or phone can find them.
    At one of my clients (A big financial firm with millions in assets) everyone keeps their passwords on a post-it note under their keyboard!
    In one ear and out the other. I just cannot convince any non-geek to do it. No wonder identity theft is such a big problem.

    1. “In one ear and out the other. I just cannot convince any non-geek to do it. ”

      Because it’s a pain in the ass is why.

      Users route around obstructions. This is one thing they’re VERY good at.

      Make password policies more stringent, they route around it and write it on sticky notes. Implement hugely complicated schemes to restrict data access, they route around it and use Dropbox instead.

      Make it easier to manage than writing it down on a sticky note or in some file on their computer and you’ll get them to use it. And very few password managers do that; Apple’s iCloud Keychain comes closest, imo, so long as you’re in that garden.

      The latest version of Safari on both OS X and IOS no longer even display the password they generate, and so long as the website isn’t doing cutesy tricks like doing account setup in a different domain than their normal one, everything pretty much just works.

      For an example of how NOT to do it: look at the documentation for Keepass:

      “. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). ”

      Let me translate to end user:

      “blah blah blah Wah wah wah computer gobbldegook. I ain’t got time for this bullshit”.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.