[gardenbreak] 0: Get out your dice

February 28, 2016

Gardenbreak is going to be my project of getting off the walled garden bandwagon of Twitter, Facebook, etc. and onto something more effective, hopefully without losing half my friends and news sources in the process. This is going to be a long, slow series of very small pieces. Made longer and slower because I will be playing along myself. I’m aiming for a mix of next-do-this and why-do-that, but with a few mysteries along the way. Note: In general, despite many of the tools involved, this is /not/ about information security. Just communication control.

Plot 0. Identity sunt. Without a walled garden, there is no central authority with claim to determining whether you are you. I’m therefore turning to known means of estabilishing identity at least internally consistently if not consistently in relation to external identity through the use of cryptography. This means signed messages, which means public/private key pairs, which means passphrases.

I’m also handling the many-walled-gardens problem in part through simplifying login management. Which means having a password manager with, you guessed it, a passphrase. Since this will be a recurring theme, due to being the sanest form of human memorizable private key, it’s worth getting out of the way first. (Not that I didn’t do some of this before, but…)

Step 0. Roll a new character. Get out your dice and a sheet of paper. (No, really.) Perform the Diceware algorithm (http://world.std.com/~reinhold/diceware.html) to get at least three passphrases of seven words each. If you have the time, make seven of them, in case you need more later and don’t feel like re-rolling. But that’s 245d6 so it might take a while. Write them down on physical paper. This is important. Do not write them down on a computer if you can avoid it.

Do NOT run the algorithm 200 times and pick the ones you like. (This was amazingly difficult for me to not do.) Your likes are exactly the factor the algorithm is designed to eliminate from the equation. Thankfully, human psychology being what it is, you will probably eventually come to like whatever it picks. DO, if you think it’ll be fun, use alternative Diceware word lists - there are some fun ones, and lots of languages. It’s a pity they don’t have one in Klingon; that would increase adoption rates quickly.

Put that piece of paper somewhere only you control. Like in your purse, next to your credit cards. Come on, it’s not like losing those would be any better… Actually, since you can’t get your passphrases reissued, it would. Put a second copy somewhere only you control AND you’re not likely to mislay, like where you keep your tax documents. They will probably get lost once or twice anyway. Just don’t write them down digitally on a computer. It’s the internet you’re defending against, not all of humanity.

If you don’t have, dislike, or distrust dice, there is https://www.dmuth.org/diceware/ (which also has links to lots of discussion about how and why to do the Diceware algorithm). I’ve read the code, it operates client-side and sends nothing back, so it should have the same trust level as your browser. Which shouldn’t be very high.

Most adherents to Diceware will decry using a digital generator, and with reason. (See also: Not writing the passphrases down on a computer.) But, and I am going to make this note here since it will need making sooner or later, there WILL be trust gaps in a realworld bootstrap process, because if you already had a trusted process, why would you need to bootstrap? So just do something and keep going. It will still be better than pulling a passphrase out of the shallows of your imagination.

{Gritty bits:

Seven words in Diceware should give you ~90 bits of entropy. Any more than this is a bit needless since there are other, weaker links in your security chain at that point for almost any practical use.


[gardenbreak] 0: Get out your dice - February 28, 2016 - Kim Reece