'DiceKeys' Creates a Master Password For Life With One Roll

Stuart Schechter, a computer scientist at the University of California, Berkeley, is launching DiceKeys, a simple kit for physically generating a single super-secure key that can serve as the basis for creating all the most important passwords in your life for years or even decades to come. Wired reports: With little more than a plastic contraption that looks a bit like a Boggle set and an accompanying web app to scan the resulting dice roll, DiceKeys creates a highly random, mathematically unguessable key. You can then use that key to derive master passwords for password managers, as the seed to create a U2F key for two-factor authentication, or even as the secret key for cryptocurrency wallets. Perhaps most importantly, the box of dice is designed to serve as a permanent, offline key to regenerate that master password, crypto key, or U2F token if it gets lost, forgotten, or broken.

Schechter intends for most DiceKeys users to only ever roll their set once. After shaking the keys in a bag, the user dumps them into their plastic box, then snaps the lid closed to permanently lock them into place. The user then scans the dice box with the DiceKeys app -- currently a web app hosted at DiceKeys.app -- that accesses their laptop, phone, or iPad camera. That app generates a cryptographic key based on the dice, checking the barcode-like symbols on the faces to ensure it interpreted the dice's characters and orientation correctly. Despite the current version of the DiceKeys app being hosted on the web, Schechter says that it's designed so that no data ever leaves the user's device. Thanks to the different numbers and letters on each key face as well as the dices' orientations, the resulting arrangement has around 196 bits of entropy, Schechter says, meaning there are 296 different possibilities for how the dice could be positioned. Schechter estimates that's roughly as many possibilities as there are atoms in four or five thousand solar systems.

hmmm

[bloodhawk]

So a highly random secure key generated once that you scan the seed with a phone app, submit detaiils to a website. Suddenly you have gone from mathematically unguessable to a single app vulnerability away from viewing the seed. or am I missing something?

Re:hmmm

[craighansen]

You're missing something. The code is provided from a website, but runs locally.

Re:

[infolation]

creating all the most important passwords in your life for years or even decades to come.

and

that's roughly as many possibilities as there are atoms in four or five thousand solar systems

seem incompatible.

My security requirements require 'all the atoms in the known universe' [wiley.com]. Will there be an upgraded version to cover that?

Re:

[Fly Swatter]

Runs locally for now...

Don't allow automatic updates on it, even if you trust it today.

Re:

[Anonymous Coward]

NO, it specifically says in both the article and the site that it is a WEB app hosted by dicekeys

Re:

[Bengie]

Web apps can run locally in that the javascript never sends any secrets to a remote system. I do question the security of a web app that can change at any moment or be different for different users.

Re:

[h33t l4x0r]

You can turn off wifi?

Re:

[Un-Thesis]

For user authentication??? Talk about impractical!!!

Re:

[h33t l4x0r]

No, to recover the key. The web app is to recover your lastpass master key or whatever from the dice box.

Re: hmmm

[hey00]

Go on the website, wait for the app to be fully loaded, cut off your connexion, scan your dices.

If the app fully runs locally, it should work. If it doesn't, that means it needs to phone home and you should burn it.

But even then, I don't think I would trust such a device.

I have no guarantee the app actually generate a high entropy password and not the same password for everyone, or just based on a single dice.

Even if it gets audited, being web based or mobile based is too dangerous, it can be compromised or

Re:

[h33t l4x0r]

I don't necessarily disagree with you. The dice are only slightly better than me writing down my key. In that there is an extra step (and likely a bigger key). If someone kicks in my door they will have my written key or my dice, either way I honestly think a good key can be easy to remember if you're not a fucking retard.

For example: slashdotisfullofretardsespecillyhey00 is a password that is easy to remember and unlikely to be cracked in my lifetime.

Re: hmmm

[hey00]

Indeed, no need yo be a genius to create a good password and remember it, but it's easier without typos in it.

That product is just a useless novelty that everyone should recognize as such.

Re:

[h33t l4x0r]

I think it's better than writing down your master password in a lot of cases. I'm concerned that my wife won't be able to remember it when I die even though I make her repeat it to me once in a while. But if she knows it's on the stupid dice thing she can find someone to recover it. I might become a customer at some point.

Re: hmmm

[Whooty McWhooface]

Amazing!  I've got the same password on my luggage!

Re:

[eagle486]

You could always open the box and rotate some dice (for example every second dice) and not tell anybody you did this. This way to recover the master password somebody will need to get the box and know what transformation you did to the dice.

Re:

[gweihir]

You're missing something. The code is provided from a website, but runs locally.

What then prevents that website from pushing compromised code after it has been hacked?

Re:

[Casandro]

"The code is provided from a website, but runs locally."

Which makes very little difference, as the website can just send you malevolent code if you are targeted.

Re:

[Anonymous Coward]

I wonder how one might go about making a "worksheet" type paper to fill out with the dice rolls and actually math out the random bits by hand.
20-ish rolls or so and you should just be able to derive enough randomness to derive a full keypair out of.

None too practical I'd imagine, but sounds fun enough to spend an afternoon messing around with.

Re: hmmm

[Tomahawk]

Digits 1 through 6.
Take 4 orientations per face.
That's 24 possible "values" one di can give you (1 north, 1 east, 1 south, 1 west, etc).
That's about 5.5 bits of random data.

Record these values in some way for multiple throws of a di, or across multiple dice. More throws/dice = more bits of entropy. 36 dice using this method would give you 196 bits of entropy.

Record the values using pretty much any method (even just a text file listing the results one per line) and then calculate a hash.

Key generated.

Re:

[bidule]

If the dice are different, you have to add the permutation entropy. Assuming 6 copies of 6 dice it's what, an extra 10-20 bits?

Re:

[Anonymous Coward]

You read all of the summary? Hell, I stopped at "app...your laptop, phone"

When are "you people" going to wake up? Do I have to be nearly killed (again) by some stupid young woman checking her phone to find out if all the Kardashians had a dump this morning (and how Fritzy in Cambridge, MA reacted to that news)? Enough. Just. Enough. The world laughs at us already; stop giving them more material.

PS - Go to hell Cook. Apple hasn't released anything truly new in ten years. You are not worth 2T. If the Pr

Sounds dicey.

[goombah99]

You can do the same just by using any pass phrase you want (sufficiently complex). But that's something you can't actually lose. Write it down if you are worried about forgetting.
You then follow the same protocol: enter the pass phrase into your app, which will just hash it with a salt such as the name of the company website and date, and produce a tailored password.

So the REAL thing here is not the dice box, which you might lose, but the app. And the problem with an app, is will it be around in 5 year

Re:

[CanadianMacFan]

Plus the whole dice, bag, box, and package for a single use are a complete waste of resources considering that they aren't needed.

Besides, if you are going to go through all of that trouble why not just have the user roll 10d20, place them in the box, put the cover on, and continue as before. Though personally, I would prefer to have everything run locally on an app without relying on a website.

They say that it's nothing is transmitted over to them but we're taking their word that's the case. Perhaps they c

Re:

[JustAnotherOldGuy]

Plus the whole dice, bag, box, and package for a single use are a complete waste of resources considering that they aren't needed.

It's the novelty of this contraption that will sell it. Anyone that has a clue what this is for will probably make up their own master key without a bunch of plastic bits and bobs.

Re:Sounds dicey.

[Un-Thesis]

And what happens if the dice box pops open?!?! Your master password, gone forever!! Bet you wish you had taken a photo of it!! This is a new level of stupid on how to have your bitcoins lost forever!

Re:

[CanadianMacFan]

Congratulations for pointing out the same flaw as with the original design. What's the difference if I say to put the dice in the box after rolling them or to dump them into the box after shaking them in a bag as per the summary?

The whole thing is a gimmick to sell merchandise at best. At worst it's to sell merchandise and to gain access to people's accounts. It has a number of flaws such as the one you pointed out and as others have suggested, depending on a web site to be around in years time.

Re:

[JustAnotherOldGuy]

You can do the same just by using any pass phrase you want (sufficiently complex). But that's something you can't actually lose. Write it down if you are worried about forgetting.

^^^^^THIS.

No need for dice kits and crap like that; simply commit one moderately long phrase to memory and you'll have it forever. And as he said, write it down and keep a copy or two in safe locations.

Re: Sounds dicey.

[Mirvnillith]

Not even a phrase, just the reference to a phrase (e.g. first verse of the national anthem). No need to remember what tou can look up and thereâ(TM)s randomness enough in lyrics, movie titles, books and quotes.

Re:

[flyingfsck]

Yup, now you just need to lose one dice.

Re:

[gweihir]

Nope, you are not missing anything. This is snake-oil. Showy, you need to buy some "magic" gadget, but the idea has glaring holes.

Re:

[wwphx]

I emailed a link for the project to Bruce Schneier, mainly to see if he'd mention it on his Schneier on Security web site for discussion there. He said he's an advisor on the project and that it's a clever idea. That's a pretty strong endorsement IMO.

Misquote in the summary...

[The New Guy 2.0]

...196 bits of entropy, Schechter says, meaning there are 296 different possibilities...

That's 2 to the 196... 2^196... and that's a strong password.

Re:

[Toad-san]

Doesn't matter how strong it is, if the vandals can steal it from the site where you used it. That's where all the stolen passwords (and other private information) are coming from: huge cracks in the sites and businesses that demanded them in the first place!

Doh!

[timeOday]

I rolled mine once and got
12345678

Just my luck.

Re:

[grep -v '.*' *]

I rolled mine once and got 12345678

That's odd, mine rolled 9 9 9 9 9 .... [dilbert.com]

Re:

[bickerdyke]

You're holding it wrong.

Re:

[bill_mcgonigle]

> 12345678

That's the combination to my luggage!

Re:Doh!

[Baby Yoda's Daddy]

I rolled mine once and got snake eyes.

Very impressive

[Orgasmatron]

the resulting arrangement has around 196 bits of entropy, Schechter says, meaning there are 296 different possibilities for how the dice could be positioned.

Very impressive to get 196 bits of entropy out of 296 possibilities.

Seriously - this isn't even a good copy/paste. The actual article says 2**196. Apparently Wired readers are so dumb that the author needed to clarify that a bit means 2. Even worse, the slashdot editors are so dumb that they didn't notice this nonsense.

Re:

[CaptQuark]

If you read all the way to the bottom of the article, it says: CORRECTION 8/21/20 11:45am ET: This story has been updated to reflect that the dice can be positioned in 2^196 different combinations, not 2^96 as previously stated.

But it WAS a poor copy/paste to lose the power notation.

---

Re:

[craighansen]

Did you see the correction posted at the end of the wired article?

Dumb much?

[TechyImmigrant]

If you are making a master random key - do it in a room without electronics (except the machine you are doing it on). Store it in a suitable medium - a set of n-of-m cards, yubikeys or similar. Using a web-app for this is about as counterproductive as you can get.

You have many megabytes a second of full entropy, cryptographically secure random data available on any modern X86 CPU. Use that.

Re:

[raymorris]

Fyi I think Techy is referring to RDRAND. It's as trustworthy as Intel. /dev/random is strictly better on any kernel after 2013.

Re:Dumb much?

[TechyImmigrant]

Fyi I think Techy is referring to RDRAND. It's as trustworthy as Intel. /dev/random is strictly better on any kernel after 2013.

Well I designed the RdRand random number generator circuit and I trust it because I know exactly how it works. So you telling me it's untrustworthy is like telling a farmer that he doesn't know how to grow a potato.

The security of /dev/random is suspect because it's software. It cannot guarantee that its sources of entropy actually have any entropy. The underlying hardware it uses must supply good entropy for it to be secure. See the 'mining your Ps and Qs' paper for an example of /dev/random failing to be secure.

All good, cryptographically secure nondeterminstic random number generators include their own hardware source of entropy which draw their nondeterminstic properties from underlying quantum uncertainty. /dev/random does not.

Re: Dumb much?

[WatchMaster]

This is a one time thing, not a sequence. It is unlikely one could use any information on your computer and it's environment at the moment you made the key to find out what our was. And even if that were the case you can foil it by changing a few characters after generation. Just Genesee

Re: Dumb much?

[WatchMaster]

Just generate a random uuid and change a few digits.

Re:

[raymorris]

I didn't say it isn't trustworthy. And I actually implied your design is solid.

I said it's as trustworthy as the company who makes it, Intel, hopefully according to your excellent design. If a person trusts Intel (and anyone using Intel CPUs *is* trusting Intel), all good.

If someone does not trust Intel to manufacture it according to your design, then the design doesn't matter - they don't trust that the implementation matches the design.

What I was saying is that if you trust Intel, you can trust rdand.

Re:

[TechyImmigrant]

>tually it's interesting that when I said "rdrand is as trustworthy as Intel"...
Point taken.

>Conceptually, one can picture it as:
>Rdrand xor Entropy2 xor Entropy3 xor Entropy4

This has problems. Indeed problems that Ted and Linus both discussed. When one of those sources is 1000 times faster than the others, you are either limited to the speed of the slowest and are throwing away a lot of entropy, or you're back to trusting the faster source in practice. This is exactly what is going on in the linux

It's Sha with rdrand as the IV

[raymorris]

It looks like it's now using a true twisted GFSR at around line #528 for input, which is an improvement after the 2012 paper.
https://github.com/torvalds/li... [github.com]

On output, it uses the SHA of the pool contents, WITH YOUR HARDWARE RND as the IV.

Attack surface is a valid concern. You're nothing wrong there.

Aside from that, I'm more comfortable using a hash that has rdrand as the IV than I am using only rdrand. Meltdown and Spectre have shown us that side channels are real - a mathematicallly perfect des

Re:

[TechyImmigrant]

I have no problem with mixing sources. My suggestion is to mix them as close to the point of use as possible, which is easy as I've described.

The GFSR stuff is not great. It doesn't come with decent mathematical proofs and it it vulnerable to adversarial sources. CMAC would be cheaper, better and come with a string of proofs (Dodis and Tereshima in particular). For my own needs, I will use /dev/random where it's convenient, but mash it down with CMAC before use. My code checks for RdRand or RdSeed first and

Re:

[raymorris]

Interesting stuff.

Backing way up, rdrand basically takes as input the least significant digits of temperature sensors, is that right? Measures a millionth of a degree or whatever, precision in excess of accuracy?

Re:

[TechyImmigrant]

Interesting stuff.

Backing way up, rdrand basically takes as input the least significant digits of temperature sensors, is that right? Measures a millionth of a degree or whatever, precision in excess of accuracy?

No. Not unless you squint hard.
It uses thermal noise to drive a metastable latch to resolution (1 or 0) 2.5 billion times a second. that's the noise source. The rest is crypto, self test and data shuffling.

Re:

[raymorris]

Interesting.

Re:

[TechyImmigrant]

Interesting.

More details here if you have the patience to list to me drone on for 45 minutes at a room of professors and postgrad researchers.

https://www.youtube.com/watch?... [youtube.com]

Re:

[raymorris]

Thanks. Looks like the video is about an hour and a half and I'm actually watching it. So far I'm at the point where the feedback is inverting the bias, so if I see 1111 I can bet that thr next two bits are more likely to be 00 than to be 11. I guess I the video you're about to explain how you fix that.

Now I just have to wait for my wife to ask what I'm watching, so I can say "a random video".

OK but why pay $25?

[davidwr]

Can't I just use a local random password generator to make a 196-bits-of-entropy "master key" and print it out on a piece of paper?

Better yet, print it out, tear it in half, and store the halves separately, to make it harder for someone to steal.

All I need now is an app to scan the piece of paper and make the sub-keys. I wouldn't be surprised if some bored programmer sees this post and has it ready by Monday.

Oops, the guy with the dice probably has or is trying to get patents that would cover this. Neverm

Re:

[laktech]

An improvement to paper would be if that little box and the dice were to be made of a fire-proof material.

Re:

[Bengie]

You mean Billfodl? Meant for the passphrase to a crypto wallet, but you can get full alphanumeric if you want. Put any values you want in there. Even comes with tamper evident stickers and holes to put a lock through.

Re:

[Samantha Wright]

There's another layer of dumbness you totally glossed over. If you have a smartphone with a camera, then you can just turn it on for one frame and extract the lowest bit from each R, G, and B channel for every single pixel. Forget about a measly 196 bits of entropy; how about three bits for every pixel in your phone? The iPhone XR is 12 megapixels; that's 32 million bits (or more!) of entropy just waiting to be snatched up. Dice boy go home!

Re:

[CanadianMacFan]

You're not going to have that many million bits of entropy just because pixels next to one another are so likely to be close in value, if not the same, to one another. For example, a black area on a photo would mostly contain 0's. Though if you are taking picture of writing on a piece of paper then most of the bits would be 1 for the white of the paper.

It could take an image given to it by the user, examine regions for contrast and/or colour changes to get a sample of however many pixels you desire, and the

Re:

[Bengie]

Simpler and safer to just dump that raw megapixel data into your favorite crypto-hash algo.

Re:OK but why pay $25?

[Waffle Iron]

Can't I just use a local random password generator to make a 196-bits-of-entropy "master key" and print it out on a piece of paper?

I think that the whole idea behind using mechanical random sources like dice is that some people trust neither the "entropy source" algorithms in computers nor the supposed hardware random generator circuits that come with many CPUs.

If you worry about that, then you probably won't like the huge attack surface created by saving a picture on your smartphone followed by feeding that data into a web app.

At any rate, since one die roll is about 2.5 bits of entropy, then you can easily get the 196 bits mentioned here by rolling the 5 dice in your Yahtzee set 16 times. If you just enter the resulting 80 digits into a plain text file, then run the command-line sha256sum utility on the result, you should achieve the same result as this product with a much smaller risk of leaking information.

Re:

[ath1901]

Can't I just use a local random password generator to make a 196-bits-of-entropy "master key" and print it out on a piece of paper? Better yet, print it out, tear it in half, and store the halves separately, to make it harder for someone to steal.

If I'm making a master password for life, I'd much prefer a home grown solution like paper printouts without reliance on apps or special boxes, dice etc. Over a long time, I'd be worried about my apartment catching fire, misplacing the master key, accidentally throwing it away or just DiceKeys going bust and not being able to recreate their master pwd algorithm. Readable paper printouts (laminated) can be spread out over several physically separated places. If you don't trust the locations, create N super-

Challenge accepted

[fahrbot-bot]

From TFA:

"You can’t really build a computer big enough to guess this number without crushing yourself under its gravity."
-- DiceKeys Creator Stuart Schechter

Deep Thought [fandom.com] replies, "hold my beer ..."

Re:

[bidule]

Well it took you 7 millions years to come up with 5 bits of entropy. I'm not holding your beer that long.

Clear case & bag.

[bill_mcgonigle]

Since they're shipping a black bag anyway they should switch to a clear case so every set can make two keys.

Somebody else suggested metal dice. That would be good for 2.0. I've met some people who think I'm extreme for suggesting that they use letter punches to stamp their crypto keys into a stainless steel card. I mean, that's why seeds have FEC, right?

This is a joke right?

[joe_frisch]

Dice are a cute way to make a password, but I suspect very few hacks are based on guessing random passwords and there are lots of known ways to make pretty random sequences of bits.

Most hacks seen to be social engineering "hello I'm for Microsoft and your windows need cleaning".

Followed by companies that fail to store their data securely regardless of user passwords

Followed by buggy applications (sometimes due to intervention by three letter agencies).

I'm now waiting on a new DnD class

[Sleeping Kirby]

...cryptomanacer. Roll 3 D dicekey to determine spell and action.

U2F is questionable

[Bengie]

First off, Solokey is only a Level 1 fido device for a reason. It can be manipulated. Kind of defeats a major purpose of U2F.

Second is that the U2F spec uses a counter that only ever increments. If the counter is ever found to go backwards, the system may do whatever it wants. Maybe it will ignore it, maybe it will reject that use, maybe it will invalidate your U2F device. Any attacker who has duplicated your U2F will be smart enough to choose a large counter to make sure it isn't less. Then the next time your use you U2F, the service will see that the counter went backwards. This means 2 things. 1 is that the device is compromised, and 2 is that even though the authentic device is probably the one with the lower count, it can't be sure, so the best thing is to just invalidate that U2F device.

Recommending the backup and copying of a U2F device is bad practice and runs afoul of the spec.

At least yubikey is level 3 fido.

Level 1: resilient against malicious software <-- solo key
Level 2: resilient against malicious OS
Level 3: resilient against direct hardware attacks <-- yubikey
Level 3+: resilient against advanced electrical signalling and voltage manipulation attacks

yubikey's data is stored in a write-only enclave that will self-destruct if someone attempts to physically access the data, and the on-board CPUs are not only designed to allow very specific operations, but there are two cpus that both do calculations independently and nothing happens unless they both agree on the outcome. They are not used as redundancy, but as a security feature to force an attacks to have to compromise both at the same time and in the same way. yubikey can also clear the enclave when tampering is detected.

And from a security design, U2F doesn't necessarily mean you're using two-factor. Two factor means you have two different factors, like something you know, a password, and something you have, a U2F key. But from an attack standpoint, a U2F key made by something you know means it can be recreated by something you know, meaning it is something you know. You are technically not using two-factor, just some glorified singe factor. Anything that can be backed-up, copied, or recreated is not "something you have". Just something you know, with more steps.

Re:

[transporter_ii]

But it appears to do what it was designed to do:

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of..

I will say, I like U2F better than the alternatives. It has nothing to do with my cell phone and zero to do with giving my phone number to a website. That makes it a hell of a lot better than most things I have tried.

The only issue I have had is I have to jump thro

Re:

[Bengie]

U2F is the first mass use of asymmetric encryption that directly involves customer use. Asymmetric authentication is wonderful even if you treat as a password. You can think of it like a 128bit entropy strong password that the server can validate but can't know, and it can't be man in the middled. The only way to attack U2F is to go after the devices themselves, which is fundamentally different than how symmetric password authentication works.

Solokey only works because it assumes U2F devices will not be d

Re:

[Bengie]

Real users don't use backups. They may set one up, but generally doesn't work for one reason or another, unless it's 100% transparent. I see asymmetric authentication as an enormous upgrade to security, but not as some multi-factor authentication. We're making it more difficult than it needs to be. Once you realize that what I said is "there is no additional security", you can come to grips with that we don't need passwords at all, just a U2F device with an ironclad "backup".

I see one word there...plastic

[AxisOfPleasure]

Putting the tech aside for just a second, in a world where we're trying to stop polluting the planet with sh*t and filling the oceans with garbage, you want me to buy a plastic device that I will only ever use once in my life and then either put it or throw it away? Sure I can understand that you require a physical device to achieve the kind of serious entropy you need to make this possible, but I can't see the green crowd cutting you much slack on this one if that device is one-time and made of plastic.

Re:

[shabble]

FTA:

25 unique dice (letters) assigned to 25 positions: 25!
6 possible faces (digits) exposed by each die) x 6^25
4 possible orientations of each exposed face 4^25
4 possible orientations of box reduced to one* / 4^1

=124,127,134,662,179,891,202,329,100,571,859,806,502,566,406,865,813,504,000,000 =2^196 +
(> 196 bits)

*To generate secrets consistently even if you scan your DiceKey sideways or rotated up-side down, our software rotates your DiceKey to a canonical orienta

Why pay money?

[AntisocialNetworker]

Take a deck of cards. Shuffle really well (most shuffles are crap, so spend a serious amount of time shuffling). Deal the cards. Keep them safe. You have a simple keyspace of something like (13!**4)~=1e39 ~=2**130 even if you ignore the colours. Teach your children NEVER to play cards...

Where's the entropy?

[swimboy]

Maybe I'm missing something, but to me, this looks like it generates only about 88 bits of entropy. The 25 dice can be arranged in 25 positions 25! different ways. Each die can show one of 6 faces in one of 4 orientations.

log2(4*6*25!) is approximately 88.2

What am I missing?

Re:

[ledow]

The box itself can be held up one of four ways.

Here's the entropy

[dereference]

Straight from TFA:

25 unique dice (letters) assigned to 25 positions
25!

6 possible faces (digits) exposed by each die
6 ^ 25

4 possible orientations of each exposed face
4 ^ 25

4 possible orientations of box reduced to one
1 / 4
(They ignore rotations of the box itself)

How about a dice box + a metal wallet?

[ctilsie242]

There are a number of place selling metal wallets, where one arranges the letters of their recovery phrase and then anchors them in place, or has a stamping kit for metal. The best I've seen was a metal cylinder that had the ability to store BIP-39 codes, and the cylinder was in a case that could be sealed. Another good one is Blockplate, which just needs a good center punch.

With a metal wallet that has more resistance to chemicals, weathering, physical damage and such, I much rather trust that.

A dice tra

This is just a reinvention of Diceware

[Wyzard]

This is the same basic idea as Diceware [diceware.com], which has been around for a long time and does it in a much simpler way. You don't need special barcoded dice or a special camera app. Just roll an ordinary 6-sided die 5 times and look up the numbers in the Diceware wordlist. You can even print the list on paper so that the process is entirely manual and no amount of compromised software can snoop on your password generation. Each word has about 12.9 bits of entropy (6^5 is approximately 2^12.9), and you can choose how many words to generate based on the password strength you want.

I guess the innovation of DiceKeys is using more than just the number on the die as the entropy source. Using the Diceware method, 25 dice (5 words) gives you about 64 bits of entropy; to get at least 196 bits you need 75 dice (15 words). DiceKeys uses the orientation of the dice and their arrangement in the box as additional entropy sources, to get 196 bits out of just 25 dice.

Cheaper: Use a deck of cards

[Pfil2]

If you use a deck of playing cards and label the ace of hearts = ah, king of diamonds = kd, 5 of clubs = 5c, 2 of spades = 2s, and include the jokers you'll get 466 bits of entropy by shuffling the cards. Then you'll get a password that looks like this (before shuffling):

ac2c3c4c5c6c7c8c9c10cjcqckc
ad2d3d4d5d6d7d8d9d10djdqdkd
ah2h3h4h5h6h7h8h9h10hjhqhkh
as2s3s4s5s6s7s8s9s10sjsqsks
jokerjoker

On the downside you'll have a 118 character password. Of course you'll want to ensure nobody ever reshuffles

Re:

[rajkiran_g]

Where does 466 bits come from? Shuffling 54 cards would result in factorial(54) permutations, which is about 237 bits of entropy. Am I missing something?

Re:

[Pfil2]

I typed the password I created before shuffling it in Keepass password generator and it says 466 bits of entropy. I think it's from the fact that there are factorial(54) permutations but I have a 118 character password so I more than doubled the bits. If you knew I was using 'ah' for ace of hearts and '1h' for 1 of hearts, etc. then an I think you're correct. Or if I just labeled each card with a it's own character (say ace of hearts is A, 2 of hearts is B and keep going until you use the whole alphabet the

"a web app" ... *ba-dum TISS*!

[BAReFO0t]

Hey you,
get a clue!
And fuck off
until you do!