Home » Articles » Personal Experience: Part 6 – Passphrases
Click Here To Hide Tor

Personal Experience: Part 6 – Passphrases

This a post in series of posts describing a personal experience from learning about the DNM’s to becoming a vendor – all the parts of this series will be available to here: ExperienceTag

Everyone knows the importance of having a secure password for your user accounts. Everyone probably also knows the importance of having different passwords for all of your password needs. They can be hard to remember though and oftentimes, at least for me, I end up just using the same password across many different accounts and applications. In my exploration of the Darknet I have come across the need for passphrases to encrypt certain data. A passphrase is longer than a password and is used in slightly different ways. It uses a longer, easier to remember phrase than a short password. Encryption needs a strong passphrase to effectively protect your data. PGP, TAILS persistent volumes, and Bitcoin wallets can all employ passphrases to keep your data safe.

Passphrases are different from the passwords we are all familiar with. Passphrases combine the use of numbers and words that form an easy-to-remember phrase that is hard to crack. By using a nonsense phrase with a good number of words in it users can secure their encrypted information or user accounts. One instance when you need a strong passphrase is encrypting your persistent volume on a TAILS thumbdrive. You can set up an encrypted volume on the thumbdrive that will hold information you want to persist throughout TAILS sessions – like email account information and PGP keys. Information you don’t want to enter every time you boot up TAILS. With a strong passphrase your information remains secure and your anonymity is protected.

There is no shortage of technical documentation online about passphrases, but much of it is not directed towards the layperson. There is a complex jargon that goes along with cryptography and passphrases, including words like entropy, upper and lower bound, logarithim, and many more. Mathematical equations can be used to calculate the security of any given passphrase. The technical information that surrounds passphrases can be intimidating, but there is a simple method that guarantees secure passphrases.

Diceware is a website with instructions and tools for creating a secure passphrase. The site provides a list of words you can download. Words we use daily and weekly are more common and more easily cracked. The Diceware list gets around this by using uncommon words, and by using the wordlist you aren’t choosing a phrase or set of words specific to you. Diceware makes it much easier on the user to create a secure password that is difficult to crack or guess. Each word on the Diceware list has a corresponding number. You roll dice and pick the corresponding words. The formula is easy and takes hardly any time at all. The offline accessibility of the whole thing is another important point. By downloading and backing up the word list, you can be sure your copy isn’t tampered with. Rolling actual dice means as long as you make sure no one is actively watching you roll the dice your passphrase is going to be secure.

I walked down to my neighborhood bodega and bought some cheap six-sided dice. With a printed version of the Diceware word list in hand, I made my rolls and created my passphrase. For added security I chose insert a random character into my passphrase in between each word. Using a table of random characters also obtained from the Diceware page, I added an extra two rolls for each word to find a character in the random special characters table.

I am going to set up a persistent volume in TAILS so that I can have some of my data saved across sessions. I’ll have my PGP keys, email account information and some personal documents saved so that I don’t have to re-enter every time I start TAILS. The passphrase I created from the Diceware word list will be used to encrypt the persistent volume to protect sensitive information as well as my anonymity.

4 comments

  1. I can understand why the average grandmother might not be using a password manager, but it still blows my mind that, some twelve years after it was included with every Mac OS install, password managers are not used by everyone with a basic notion of security.
    Instead, those people who do have some interest in security, seem willing to jump through all kinds of hoops to make memorable and secure passwords/phrases, rather than employ a simple password manager.
    This normally wouldn’t concern me, but because people are unwilling to do this, and use the same simple passwords over and over, I have to fill out all sorts of secret questions I’ll never need, and set up intrusive two-step verifications. It’s easy enough to give fake answers to these personal questions, (and smarter to do so), but I really don’t want to be handing out my phone number to web sites.
    Please people, let’s let everyone know the benefits of password managers, and encourage their use – for our own sake. In the twelve years I’ve been using one, (Apple’s Keychain), I’ve used Keychain to create a unique and strong password for each account I sign up for, (800+, at this point), and have never had an account compromised. Even if a site is compromised, my password is useless anywhere else. And, I only ever have to remember one strong password.

  2. It also means you aren’t using Tails.
    It means if your system is hacked then they will have access to all of your passwords too.

    • You could easily keep a password manager on your Tails stick, like keepassX. If nothing else, an encrypted file. You can still use your main password manager to generate and store strong, random passes, and still need to only remember one good one. If your using Tails, and still memorizing and reusing passwords, all I can say is, you really are rolling the dice.
      As for your system being hacked, with some basic security and a strong password, (130+ entropy), this is a very unlikely scenario, especially without physical access. Even with physical access, if your HD is encrypted with a strong pass, they are going to have their work cut out for them.
      Since I began using a password manager in 2002, and creating strong, unique passwords for each account, I’ve never had an account compromised. I cannot say the same thing about most of my friends.

  3. Whats wrong with remembering passwords / phrases and who said anything about re-using them ? You mentioned Apples keychain. Regardless of how strong your keychain PW is you are still vulnerable. Keyloggers for example. Yes Tails has keypass x but also leaves you more suceptible since it is stored on persistence.
    Generally speaking when you increase convenience you decrease security.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *