You can now buy a super secure password for $2, from an 11-year-old in NYC

dkpope

Posts: 207   +9
Staff

Afraid your password is lackluster but too lazy to make one yourself? A sixth grader in New York City will mail you a cryptographically secure password for $2.

Earlier in October, Mira Modi, 11, launched dicewarepasswords.com where she creates six-word Diceware passphrases by hand. You could make one yourself, you just need an actual six-sided dice and access to the list of English words that correlate with the numbers. The words are linked in a string of six ("ample banal bias delta gist latex") that is truly random, hard to crack, but easy enough to memorize. The method has been around for decades.

Modi told Ars Technica that her friends may not understand her hobby, but she thinks secure passwords are interesting. And it didn’t come out of nowhere, Modi’s mother is Julia Angwin, a journalist at ProPublica and author of Dragnet Nation, a book that covers privacy, security and surveillance.

It was helping her mom with research for the book that got Modi thinking about a password business. At first she sold passwords in-person but switched to a website to boost sales.

Of course, the most secure option is to create your Diceware passphrase privately and there is the slight chance Modi is selling your password to you and someone else. But forget the paranoia, embrace the opportunity to get a strong password and support a kid's 21st century lemonade stand.

Permalink to story.

 
Best way:

Write your own short story, number all words longer than 4 letters from 1 to 6, get a dice, and roll 6 times.

Memorize the password, destroy the short story.
 
The problem with this method is that it uses a dice and a set list of words. If the list of words is known, all a cracking program has to do is try every word combination on that list. This is much simpler than trying every combination of every letter, number, and punctuation mark.

The only thing that gives this method any sort of security is that it isn't popular. It will never become popular because one could easily program an algorithm to find the password in much less time than conventional ones. Saying it's more secure then current passwords is a misnomer and it's really only a matter of obscurity.

If you really want to create a secure password, don't use any logical system to determine it. As it turns out, computers are rather good at figuring out logic.
 
Good thinking from this kid, except she holds the master and who knows at what age she will decide to sell it off for profit, heck she's already trying to make money off lazy people who can't come up with there own secure passwords. I personally create a pattern with the key board alphanumerically and case sensitive, without a keyboard it makes no sense, without my brain you won't know the pattern, so I will stick to my method personally. The only issue I have is with none standard keyboards, I tend to get mixed up due to the nature of my password.
 
The problem with this method is that it uses a dice and a set list of words. If the list of words is known, all a cracking program has to do is try every word combination on that list. This is much simpler than trying every combination of every letter, number, and punctuation mark.

The only thing that gives this method any sort of security is that it isn't popular. It will never become popular because one could easily program an algorithm to find the password in much less time than conventional ones. Saying it's more secure then current passwords is a misnomer and it's really only a matter of obscurity.

If you really want to create a secure password, don't use any logical system to determine it. As it turns out, computers are rather good at figuring out logic.
Absolutely agreed. I would not support this because the kid just is not secure enough. Interestingly, there was a story about secure passwords that is essentially what my wife and I have been doing for years ... use random poetry.
 
Yes but who is going to know you used the list to create your password? This method is more secure than the ones listed on "http://www.bmyers.com/public/1958.cfm" page.

They don't need to know you used diceware to create your password. The hacker would simply use the diceware word list in a dictionary attack. Seeing as it would take a fraction of the time to run compared to a full dictionary attack, a hacker would start with the diceware dictionary first. The more people that adopt the diceware system, the more hackers will do this.

Absolutely agreed. I would not support this because the kid just is not secure enough. Interestingly, there was a story about secure passwords that is essentially what my wife and I have been doing for years ... use random poetry.

That's a pretty cool method. I myself just make up random letters, numbers, or punctuation marks of 8 characters. I'll usually ask another person or random generator to come up with 1 or 2 of the characters in that password. I know that if I created a password using any one system, it's weakness would be just that.
 
You have to give her credit for the business aspect of it. And I give her credit for wanting to help people.

Now, I don't mean to be rude or anything to this girl, but I disagree with this service. While I don't think much serious harm will come to it, it has the following flaws:

1) From a security perspective, this only looks at one aspect of password cracking: Brute force attacks. There are far more efficient ways to attempt to gain a password, from keyloggers to dictionary attacks.

2) She creates a false sense of security to those who don't know any better (They're going to get these passwords and think "Oh, my stuff is completely secure now!" - I don't blame her for this, I'm just saying that's the effect. As always, the best protection against hacking and other security threads is educating yourself.

3) This is made inherently less secure based on the fact that these passwords not only are generated by her, but pass through other hands via snailmail, before ending up at their final destination.


All that being said, she's actually on the right path, but the security could be improved in the actual password via padding

Passwords neither have to be random (as in, random from a computer or dice), nor do they have to be hard to remember. If you want to come up with secure passwords which are easy to remember, try these steps instead of paying someone:

1) Come up with a unique phrase. It can use dictionary words, doesn't matter. For instance: "Large Donkies Don't Bike"

2) Come up with a pattern of special characters and numbers you can remember, say: $$5% and then pad the previous phrase with that, so you have a password: "$$5%Large Donkies Don't Bike$$5%" - you now have a 32 character password, with special characters, numbers, caps, spaces, and punctuation. These are great passwords for use in things like KeePass to protect your other passwords. I recommend using an application such as KeePass over something like 1password because KeePass is local only, no online servers you have to worry about.

3) Optionally, if you can't use a password that long, or simply don't want to, use the abbreviations in a case-sensitive pattern you'll remember: "$$5%LDDb$$5%" - still 12 characters, contains special characters, numbers, upper and lower case letters, and no dictionary words.

I personally keep my KeePass database secured with a 50+ character long padded password, and it's as easy to remember as it was when I made it years ago. No one knows the phrase, and no one knows the pad.
Keep the pattern and phrase secret, even if you use abbreviations. I would highly recommend using two-factor authentication where you can to protect important things. I would also recommend using this method to come up with a secure master password to protect your other passwords in a service such as KeePass or 1password (I don't recommend 1password, simply because it's a third-party service that your passwords get stored on. That being said, I'm not saying it's bad.)

And as I said before, lack of ignorance is going to be your best bet in security. Even this method can easily be rendered useless using keyloggers. And, quite frankly, if you're holding something important enough and your attacker lacks morals: there's always rubber hose cryptography.

Anyway, sorry for the long post, maybe it will help someone out.
 
Back