Personal Experience: Part 6 – Passphrases

3 minute read

Posted by: Joseph Meehan

December 26, 2014

This a post in series of posts describing a personal experience from learning about the DNM’s to becoming a vendor – all the parts of this series will be available to here: ExperienceTag

Everyone knows the importance of having a secure password for your user accounts. Everyone probably also knows the importance of having different passwords for all of your password needs. They can be hard to remember though and oftentimes, at least for me, I end up just using the same password across many different accounts and applications. In my exploration of the Darknet I have come across the need for passphrases to encrypt certain data. A passphrase is longer than a password and is used in slightly different ways. It uses a longer, easier to remember phrase than a short password. Encryption needs a strong passphrase to effectively protect your data. PGP, TAILS persistent volumes, and Bitcoin wallets can all employ passphrases to keep your data safe.

Passphrases are different from the passwords we are all familiar with. Passphrases combine the use of numbers and words that form an easy-to-remember phrase that is hard to crack. By using a nonsense phrase with a good number of words in it users can secure their encrypted information or user accounts. One instance when you need a strong passphrase is encrypting your persistent volume on a TAILS thumbdrive. You can set up an encrypted volume on the thumbdrive that will hold information you want to persist throughout TAILS sessions – like email account information and PGP keys. Information you don’t want to enter every time you boot up TAILS. With a strong passphrase your information remains secure and your anonymity is protected.

There is no shortage of technical documentation online about passphrases, but much of it is not directed towards the layperson. There is a complex jargon that goes along with cryptography and passphrases, including words like entropy, upper and lower bound, logarithim, and many more. Mathematical equations can be used to calculate the security of any given passphrase. The technical information that surrounds passphrases can be intimidating, but there is a simple method that guarantees secure passphrases.

Diceware is a website with instructions and tools for creating a secure passphrase. The site provides a list of words you can download. Words we use daily and weekly are more common and more easily cracked. The Diceware list gets around this by using uncommon words, and by using the wordlist you aren’t choosing a phrase or set of words specific to you. Diceware makes it much easier on the user to create a secure password that is difficult to crack or guess. Each word on the Diceware list has a corresponding number. You roll dice and pick the corresponding words. The formula is easy and takes hardly any time at all. The offline accessibility of the whole thing is another important point. By downloading and backing up the word list, you can be sure your copy isn’t tampered with. Rolling actual dice means as long as you make sure no one is actively watching you roll the dice your passphrase is going to be secure.

I walked down to my neighborhood bodega and bought some cheap six-sided dice. With a printed version of the Diceware word list in hand, I made my rolls and created my passphrase. For added security I chose insert a random character into my passphrase in between each word. Using a table of random characters also obtained from the Diceware page, I added an extra two rolls for each word to find a character in the random special characters table.

I am going to set up a persistent volume in TAILS so that I can have some of my data saved across sessions. I’ll have my PGP keys, email account information and some personal documents saved so that I don’t have to re-enter every time I start TAILS. The passphrase I created from the Diceware word list will be used to encrypt the persistent volume to protect sensitive information as well as my anonymity.

Updated: 2014-12-26