Increase default number of dice rolls from 4 to 6

[atoponce]

Diceware provides about 12.92 bits of entropy per word. Best practice for passwords is to reach at least 70 bits of entropy to stay outside of successful clustered offline password cracking.

4 Diceware words: ~51.6 bits
5 Diceware words: ~64.6 bits
6 Diceware words: ~77.5 bits

[dmuth]

Hi!

I agree that more entropy is a good thing, I am trying to think about how to best present it.

I built this app with mobile use in mind, and here's what 6 dice rolls look like on an iPhone 6/7/8:

The text spilling off to the right is an issue, and I'm not sure how to best address it. If I do wrapping of the text, that might cause a newline to get into the text when copied, and that would be not good. I could make the text smaller, but that would then impact readability.

That said, UI isn't my strong point. I'm open to suggestions or something that I might have overlooked?

Thanks,

-- Doug

[atoponce]

I haven't tested this, but I think this can be worked around by inserting the zero-width space U+200B. It should wrap normally at that point, but you could also use the CSS word-break rule if needed.

[atoponce]

I just tested, and adding U+200B between the words formats the page correctly, the text is copyable, and everything "looks" good (words wrap), but it yields the following character count:

$ printf 'Dining<200b>Washable<200b>Autograph<200b>Deny<200b>Squad<200b>Yield' | wc -c
52
$ printf 'DiningWashableAutographDenySquadYield' | wc -c
37

Adding ​ as the delimiter also adds extra characters between the words in the copy, providing the same problem as "U+200B".

Adding <wbr> between the words doesn't introduce any characters to the client in a copy, as it's been interpreted by the browser, and the words wrap cleanly. But it's not supported by some older browsers, such as IE 6, so you might be making a (very small) compromise there.

[atoponce]

BTW, browser support for <wbr>. I think this is the right way to go.

[dmuth]

Yep, was definitely the way to go. I was unaware it existed, so thanks for pointing that tag out!

I added tags in the displayed password as well as the formatted number, deployed to https://www.dmuth.org/diceware/, and gave you credit in the newly created CREDITS.md file.

For testing on mobile, I did the following:

• Generated a 6-roll password on my iPhone X
• Verified that wrapping worked
• Copied the text
• Pasted into a secure note in LastPass and verified that there were no characters, spaces, etc. that didn't belong.

So I think we can call this one done. :-) Thanks so much for the PR and the UI suggestion!

-- Doug

[atoponce]

No problem! Glad to help!