Comments (1)
Dice makes the looking up words in a wordlist easier for the purpose of generating passphrases.
What makes one wordlist different from another?
This matters when the wordlist in use is not the one you think (whether it is a mistake, an intentional alteration, or the code is manipulating the words in a mistaken or mischievious way).
What characterizes a wordlist is:
- memorability: how easy it is for you to remember the passphrases generated using that wordlist
- average entropy per word (a.k.a "randomness"): how random are the the passphrases generated using that wordlist. The higher the average entropy per word the shorter you can make your passphrases for a given (average) security level. (That in turn tends to make them easier to remember.)
Risks: using a program that doesn't return you accurately the words from your chose wordlist may result in your passwords being (in average) weaker than you expect.
Note that there is no need for a tool to lookup the words in the wordlist! You could print the list and read them without any computer at all.
That is why, personally, I consider this risk is not worth it. It is a personal choice, based on the fact that I only use this method to generate the few passphrases that I need to remember or type regularly (e.g. WiFi passphrase). Dice saves me time, but I wouldn't use it if I couldn't review it to make sure it works as I expect. And that is what makes me state that, in my opinion:
Nobody should use
dice
unless they understand its code.
Seriously I don't think it is worth the risk. 🙂
(That also probably explains why the EFF published wordlists without any such tool to look them up.)
Does that mean nothing matters?
Absolutely not! I'm quite happy I wrote Dice, I've used it and it's made my day once. But it means that making Dice easy to review is the only way I can ethically recommend it to people. It also means that this disclaimer should probably be in the README
. 😋
Making code easy to review, is not a bad goal when learning a language. And as it is now Dice can be made a lot clearer.
Also finding ways to distribute a tiny tool that preserve the level of trust that the code review established is also worth figuring out I think. I haven't done it before (I don't sign the releases of my other packages for example), and I am keen on seeing if it would bring any value in this case.
That's for my security thoughts!
from dice.
Related Issues (4)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dice.