BSidesLV 2016

The idea of using passphrases for storing stronger secrets has been around since at least 1982, yet little work has been done to improve the usability of this method. Diceware, the de facto method and passphrase wordlist, contains wonderfully easy to remember words such as “aeneid”, “zh”, and “$$” (Let’s not get started on “h”, “hh”, “hhh” and “hhhh”). Moreover, extended language support for Diceware is often based on translations of the original wordlist, which contains numerous Americanisms such as “howdy”, “hubbub”, and “Boise”.

In this talk, we will discuss the problems facing passphrases in the present, and propose alternative approaches to passphrase wordlist generation. We will discuss our our own method for creating localized wordlists and how this method is being tested using Peerio as a real-world test site and analyzed by our academic partners. Specifically, we argue that accounting for cultural and social variables in language usage can provide stronger, more memorable, and in some cases shorter passphrases than existing models. Finally, we would like to open the discussion to assess possible faults with this method, identify potential improvements, and consider other ways in which we as a community can collaboratively improve the overall user experience of passphrases.