Option to include digits

[madduck]

An increasing number of websites require digits as fourth character class. It would be grand if diceware could either include digits in the set selectable with -s, or add another option like -s for digits.

[dmuth]

Hi,

That was an intentional design choice of mine--I discourage using numbers in password because not only does it not work, but the person who originally came up with that recommendation back in 2003 has since recanted that due to how disastrous having numbers in passwords has been. This led to the NIST updating their guidelines back in 2017 and disrecommending a requirement to have digits in passwords:

https://www.engadget.com/2017-08-08-nist-new-password-guidelines.html https://pages.nist.gov/800-63-3/sp800-63b.html (Section A.3, if you enjoy reading technical specifications)

If there's a favorite website of yours that is requiring numbers in passwords, feel free to toss the above links in their general direction. Together, we can eliminate senseless password requirements. :-)

-- Doug

[madduck]

Hey @dmuth, thanks for your reply. I've read over the stuff you linked with interest, and I concur that forcing people to change passwords on a regular basis is nonsense. As if every day, attackers get the current password hashes and fire off a brute force attack that runs weeks, only to start a new run the next day. And when finally they crack some passwords, those mean users will have changed theirs on a schedule.

From a user perspective, frequent changes means that people cut corners, and this is I think the gist from what you linked, right?

But there is an important difference between now and then, isn't there? Whereas back then, the recommendation was not to write your password on a Post-It™, nowadays you are supposed to use a password manager, and all of a sudden, none of the above matters anymore: you can generate a new password every day, and not lose track, or get mixed up on the numbers and letters and special characters.

I understand your design choice in the light of the above, however. But then I wonder why you allow for -s. Doesn't this do precisely the thing you're trying to avoid, or is there something inherently bad about numbers that doesn't seem to be a problem with special characters?

PS: have you ever tried to talk to any "favourite website" about their password requirements? Heck, in most cases, the people answering your emails (if at all) don't even know what HTML is…

[dmuth]

From a user perspective, frequent changes means that people cut corners, and this is I think the gist from what you linked, right?

Yep, that's kinda what I got out of it. I used to be on a website that required password changes every 90 days, and I'll bet you can guess what the password security was like there.

But then I wonder why you allow for -s.

Maybe it's because it's after 5 PM on a Friday for me, or I'm just completely missing the reference, but I'm unclear what is meant by -s in this context? When I see -s, my brain immediately goes to the command line, which my Diceware app is not. Please let me know what I might be missing here. :-)

-- Doug

[madduck]

Oh man, I use the diceware command-line tool and I thought you were the maintainer. Obviously my bad. Feel free to close this then. Sorry.

[madduck]

This is the project I was looking for: https://github.com/ulif/diceware

[dmuth]

Oh, no worries! I think I'll work on the README just to make things a little clearer in the future. :-)