Giter Site home page Giter Site logo

Comments (1)

gonzalo-bulnes avatar gonzalo-bulnes commented on July 22, 2024

Dice makes the looking up words in a wordlist easier for the purpose of generating passphrases.

What makes one wordlist different from another?

This matters when the wordlist in use is not the one you think (whether it is a mistake, an intentional alteration, or the code is manipulating the words in a mistaken or mischievious way).

What characterizes a wordlist is:

  • memorability: how easy it is for you to remember the passphrases generated using that wordlist
  • average entropy per word (a.k.a "randomness"): how random are the the passphrases generated using that wordlist. The higher the average entropy per word the shorter you can make your passphrases for a given (average) security level. (That in turn tends to make them easier to remember.)

Risks: using a program that doesn't return you accurately the words from your chose wordlist may result in your passwords being (in average) weaker than you expect.

Note that there is no need for a tool to lookup the words in the wordlist! You could print the list and read them without any computer at all.

That is why, personally, I consider this risk is not worth it. It is a personal choice, based on the fact that I only use this method to generate the few passphrases that I need to remember or type regularly (e.g. WiFi passphrase). Dice saves me time, but I wouldn't use it if I couldn't review it to make sure it works as I expect. And that is what makes me state that, in my opinion:

Nobody should use dice unless they understand its code.

Seriously I don't think it is worth the risk. 🙂
(That also probably explains why the EFF published wordlists without any such tool to look them up.)

Does that mean nothing matters?

Absolutely not! I'm quite happy I wrote Dice, I've used it and it's made my day once. But it means that making Dice easy to review is the only way I can ethically recommend it to people. It also means that this disclaimer should probably be in the README. 😋

Making code easy to review, is not a bad goal when learning a language. And as it is now Dice can be made a lot clearer.

Also finding ways to distribute a tiny tool that preserve the level of trust that the code review established is also worth figuring out I think. I haven't done it before (I don't sign the releases of my other packages for example), and I am keen on seeing if it would bring any value in this case.

That's for my security thoughts!

from dice.

Related Issues (4)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.