Suggestion: option to change generated password length

[fruiz500]

Some of the websites I log into with some regularity limit the length of the password to 30 characters or even less. It is rather painful to cut the current DiceKeys app output to conform with this limit, so there should be a way for the app to produce passwords of variable length.

Speaking of which, cutting the current fifteen five-letter word output to 30 characters leaves room for (30 - 3)/6 = 4.5, or actually 4 five-letter words. At 10 bits of entropy per word, that's a measly 40 bits of entropy left, which can be brute-forced easily. One more reason to allow output formats other than the words.

[UppaJung]

Do you envision using a password manager with those websites, or using the DiceKeys app as your password manager and using it with those websites? Our thinking to date has been that you would only generate passwords for password managers, identity provides that also act as password managers (Google, Apple, and Microsoft all store passwords for you with their platforms), and other identity providers (Authy). Those all support long complex passwords.

We had not planned to make the DiceKeys app work for any old website, since that's actually a rather complex tasks, there are lots of good production options already out there, and some of them are open source and could be easily updated to make a DiceKey-derived secret their root (aka "master") secret.

[fruiz500]

Aha! I guess I got confused by DiceKey's ability to generate passwords for sites that are not password managers, and to add more to the list. But think about this: if the only password that is going to be generated is the master for a manager, then users only need that one password, which they'll use very frequently and likely they'll be able to remember without needing DiceKeys after the first few times. The app has more value if it can work as a password manager itself, in which case it is important that the length of the output be under users' control.

I ran into a similar set of dilemmas in developing my own SynthPass password synthesizer, which you can see on Github: https://github.com/fruiz500/synthpass/

On Wed, Sep 30, 2020 at 5:38 PM Stuart Schechter notifications@github.com wrote:

Do you envision using a password manager with those websites, or using the DiceKeys app as your password manager and using it with those websites? Our thinking to date has been that you would only generate passwords for password managers, identity provides that also act as password managers (Google, Apple, and Microsoft all store passwords for you with their platforms), and other identity providers (Authy). Those all support long complex passwords.

We had not planned to make the DiceKeys app work for any old website, since that's actually a rather complex tasks, there are lots of good production options already out there, and some of them are open source and could be easily updated to make a DiceKey-derived secret their root (aka "master") secret.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dicekeys/beta-program/issues/45#issuecomment-701683600, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATF25FC4VVAJH3FWVYXJMTSIOXOZANCNFSM4R7RWDNA .

-- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology

PL24wordLok==qualifications veterans speaker coating physically tapes worldsex folder book mostly distinguished shine enemy sticker focusing arena believe zinc baker thoroughly==PL24wordLok https://www.youtube.com http://youtube.com/watch?v=BT_tFXpkUR0

get the PassLok privacy app at: https://passlok.com http://passlok.com

[UppaJung]

Password managers are big software products with large development teams and lots of issues maintaining compatibility with large numbers of websites. The DiceKeys app work smoothly with a password manager, and we may give you the option to your DiceKey in secure storage so you don't have to re-enter it. Making the app itself a full-fledged password manager would drastically increase the attack surface. Better to have isolation between your DiceKey and a very small code base that can access it directly and other security functions like, your password manager, 2fa apps (e.g. authy), and end-to-end encrypted apps (e.g. Signal).

On Thu, Oct 1, 2020 at 11:37 PM Francisco Ruiz notifications@github.com wrote:

Aha! I guess I got confused by DiceKey's ability to generate passwords for sites that are not password managers, and to add more to the list. But think about this: if the only password that is going to be generated is the master for a manager, then users only need that one password, which they'll use very frequently and likely they'll be able to remember without needing DiceKeys after the first few times. The app has more value if it can work as a password manager itself, in which case it is important that the length of the output be under users' control.

I ran into a similar set of dilemmas in developing my own SynthPass password synthesizer, which you can see on Github: https://github.com/fruiz500/synthpass/

On Wed, Sep 30, 2020 at 5:38 PM Stuart Schechter <notifications@github.com

wrote:

Do you envision using a password manager with those websites, or using the DiceKeys app as your password manager and using it with those websites? Our thinking to date has been that you would only generate passwords for password managers, identity provides that also act as password managers (Google, Apple, and Microsoft all store passwords for you with their platforms), and other identity providers (Authy). Those all support long complex passwords.

We had not planned to make the DiceKeys app work for any old website, since that's actually a rather complex tasks, there are lots of good production options already out there, and some of them are open source and could be easily updated to make a DiceKey-derived secret their root (aka "master") secret.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub < https://github.com/dicekeys/beta-program/issues/45#issuecomment-701683600 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AATF25FC4VVAJH3FWVYXJMTSIOXOZANCNFSM4R7RWDNA

.

-- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology

PL24wordLok==qualifications veterans speaker coating physically tapes worldsex folder book mostly distinguished shine enemy sticker focusing arena believe zinc baker thoroughly==PL24wordLok https://www.youtube.com http://youtube.com/watch?v=BT_tFXpkUR0

get the PassLok privacy app at: https://passlok.com http://passlok.com

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/dicekeys/beta-program/issues/45#issuecomment-702179864, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB7AOZYEWXIDZCORWXB7TV3SISHY5ANCNFSM4R7RWDNA .