Passwords are something of a problem. The easy-to-remember ones are also easy for others to figure out, either through guesswork, phishing, or brute force methods. This leaves harder-to-remember strings of characters as the most secure passwords you can use, but how does somebody without any special knowledge of encryption know how to come up with a memorable and cryptographically secure combination?
One 11-year-old girl has the answer, and she’s willing to sell it to you for an extremely reasonable price. Mira Modi, a sixth grader in New York City, started her own small website business, for which she generates random, cryptographically secure passwords via hand-rolled dice rolls and sends them to you via postal mail for US$2 a pop (within the US).
According to a report by Cyrus Farivar in Ars Technica, Modi got into the cryptography game when her mother, an investigative journalist, recruited her to generate passphrases as part of her background research for a book on data privacy.
“This whole concept of making your own passwords and being super secure and stuff, I don’t think my friends understand that, but I think it’s cool,” Modi said.
Modi comes up with her passwords using an established system called Diceware, in which a random sequence of unconnected words are strung together. As Modi explains on her website, she rolls a die five times and writes down each number. Then she looks up that five-digit number in the Diceware word list.
Repeating the process a number of times, Modi ends up with a six-word combination that’s entirely random and unpredictable, but relatively easy to remember due to the fact that it’s constructed with regular words. She gives an example: ‘alger klm curry blond puck horse’.
“Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.) Six words may be breakable by an organisation with a very large budget, such as a large country’s security agency. Seven words and longer are unbreakable with any known technology, but may be within the range of large organisations by around 2030. Eight words should be completely secure through 2050.”
Of course, the exact arrival time of quantum computers may change this timeline a little, but it’s probably fair to use for now as a rough guide.
And Reinhold himself was suitably impressed when he became aware of Modi’s Diceware website. “I am tickled to hear this, and no, I haven’t heard of anything like it before,” he told Farivar at Ars Technica. “Obviously, from a security perspective it is much better to generate your own Diceware passphrase in private, but it is unlikely she is working for the bad guys, and any effort to publicise the importance of strong passwords is for the good… I wish her well.”