Using Dice to Generate Human Readable Passwords

2023-06-26 - [52] 4:8

I recently had to write down a few of my passwords on some paper and realized a couple of problems:

• The randomly generated passwords used ambiguous characters, which is not great for readability

• I was stuck relying on a computer's complicated random number generator to generate the passwords

• Some passwords were unnecessarily long because it is incredibly easy to generate unnecessarily long passwords on a computer

As a result of this, I decided I wanted to make my passwords in an analog way that were much more human friendly. A way of doing that was with some dice I had laying around.

Quite a lot of websites use the following password requirements:

• Must be at least 8 characters long

• Must contain at least 1 Uppercase Letter

• Must contain at least 1 Number

• Must contain at least 1 Special Character

The goal was simple enough... make a password generator system using dice that can meet the password requirements, use unambiguous characters (at least in terms of my handwriting), and have enough security to make brute forcing the password impractical. I want to be able to generate strong passwords that are only 16 characters long that I can transcribe from a computer to a notebook and back without worrying too much about writing the password down wrong.

Before I mention the system I came up with, I should mention that there is already a way to generate passwords using dice called "Diceware", but Diceware uses a word list and the passwords can become quite long. Below is a link to the Electronic Frontier Foundation's Diceware explainer page if you want to check that out, it may help you out more than my system does:

[HTTPS] EFF Dice-Generated Passphrases

And now back to my system.

Generating the first N-3 characters

All you need to generate passwords is a single 6-sided dice. An issue with 6-sided dice though is that you only have 6 possible outcomes. With that said, 2 dice rolls have a total of 36 possible outcomes. It's not too difficult to find 36 unique characters, as shown below:

• 1: abcdef

• 2: ghikmn

• 3: oprswz

• 4: AEFHLY

• 5: 234678

• 6: +,-/?^

Notice that the 36 characters are clustered into 6 groups of 6 characters each. To determine which character is used for the password, roll a dice to figure out which of the 6 groups to pick from, then roll the dice again to figure out which character of that group to use. For example, rolling a 3 will select the "oprswz" group and then rolling a 2 will select "p" from that group.

Another thing to notice is that group 4 is exclusively Uppercase Letters, group 5 is exclusively Numbers, and group 6 is exclusively Special Characters. This will be important in a little bit.

For now, you can roll the dice twice for each character in your password until the last 3 characters. Let's say you want a 16 character password, so you will use the rules explained so far for the first 13 characters.

Generating the last 3 characters

To meet the password requirements, we need to make sure every password has at least 1 Uppercase Letter, at least 1 Number, and at least 1 Special Character. This can be done with only 3 characters. It is also why group 4 is exclusively Uppercase Letters, group 5 is exclusively Numbers, and group 6 is exclusively Special Characters.

First, we need to figure out which of the 3 groups to get a character from. There are 3 groups, so we need to turn a 6-sided dice into a 1/3 odds device. We can do this by having 1 and 4 be equivalent, 2 and 5 be equivalent, and 3 and 6 be equivalent. Roll the dice, and figure out which group the character will be from, as shown below:

• 1 or 4: AEFHLY (Uppercase Letters)

• 2 or 5: 234678 (Numbers)

• 3 or 6: +,-/?^ (Special Characters)

Next, do another dice roll to figure out which character from that group will be the first selected character of the last 3 characters of the password. The group that character was from is now ruled out for the remaining 2 characters of the password.

Now we need to figure out what the second group of the last 3 characters of the password will be. There are only 2 groups left, so we need to turn the 6-sided dice into a 1/2 odds device, equivalent to a coin flip. This can be done by rolling the dice and determining if the result is Odd or Even. Roll the dice to determine the second group, as shown below:

• If the first group was "Uppercase Letters": "Numbers" is Odd and "Special Characters" is Even

• If the first group was "Numbers": "Uppercase Letters" is Odd and "Special Characters" is Even

• If the first group was "Special Characters": "Uppercase Letters" is Odd and "Numbers" is Even

In other words, the first unused group is Odd and the second unused group is Even.

Like before, when you figure out which group is selected, roll the dice again to figure out which of the 6 characters of that group is selected.

The last remaining group is the last character of the password. Roll the dice to figure out which of the 6 characters of that group is the last selected character for the password.

Example last 3 characters

• You roll a 4, so the selected group is "Numbers"

• You roll a 1, so the selected character is "2", so write down "2"

• The remaining groups are "Uppercase Letters" and "Special Characters", so "Uppercase Letters" is Odd and "Special Characters" is Even

• You roll a 6, which is Even, so the selected group is "Special Characters"

• You roll a 3, so the selected character is "-", so write down "-"

• The remaining group is "Uppercase Letters"

• You roll a 1, so the selected character is "A", so write down "A"

• You now have the characters "2-A" and are finished with the last 3 characters of the password

Password strength

Passwords generated with this system have a probability of only 1 in (36^(n-3) * 18 * 12 * 6) of being guessed on any attempt, assuming the dice is not loaded, where n is the length of the password (minimum of 3 characters). That means for a password generated with this system of size n, there are (36^(n-3) * 18 * 12 * 6) possibilities of what it could be. It will also take 2n-1 dice rolls to generate the password. The entropy in bits is the log2 of the total amount of password possibilities, so log((36^(n-3) * 18 * 12 * 6), 2). Below are passwords of different lengths along with number of dice rolls needed and the amount of bits of entropy the password provides:

• 8 characters - 15 dice rolls - about 36.19 bits of entropy

• 9 characters - 17 dice rolls - about 41.36 bits of entropy

• 10 characters - 19 dice rolls - about 46.53 bits of entropy

• 11 characters - 21 dice rolls - about 51.70 bits of entropy

• 12 characters - 23 dice rolls - about 56.87 bits of entropy

• 13 characters - 25 dice rolls - about 62.04 bits of entropy

• 14 characters - 27 dice rolls - about 67.21 bits of entropy

• 15 characters - 29 dice rolls - about 72.38 bits of entropy

• 16 characters - 31 dice rolls - about 77.55 bits of entropy

• 17 characters - 33 dice rolls - about 82.72 bits of entropy

• 18 characters - 35 dice rolls - about 87.89 bits of entropy

• 19 characters - 37 dice rolls - about 93.06 bits of entropy

• 20 characters - 39 dice rolls - about 98.23 bits of entropy

Example password generation (16 character long password)

To make this section quicker, we will be rolling 2 distinct dice at the same time, named Dice 1 and Dice 2. Dice 1 will be a white dice and Dice 2 will be a red dice. You won't be able to see the color of the dice because this is just text, but just know that these are 2 distinct dice that you can tell the difference between when they are rolled. Dice 1 is equivalent to the odd numbered dice rolls and Dice 2 is equivalent to the even numbered dice rolls. I will write the rolls of Dice 1 and Dice 2 as "a|b", where a is Dice 1's roll and b is Dice 2's roll. For example, 3|1 means Dice 1 rolled a 3 and Dice 2 rolled a 1.

First 13 characters

• 5|4 - "6"

• 3|3 - "r"

• 6|2 - ","

• 1|2 - "b"

• 5|1 - "2"

• 2|1 - "g"

• 6|6 - "^"

• 3|3 - "r"

• 4|3 - "F"

• 3|4 - "s"

• 1|3 - "c"

• 4|3 - "F"

• 6|4 - "/"

Last 3 characters

• 3|6 - "^" - Dice 1 was 3 or 6, so "Special Character"

• 1|4 - "6" - Dice 1 was odd, so "Number"

• 5 - "L"

The final 16 character long password will be "6r,b2g^rFscF/^6L"

Dice roll password generation "Cheat Sheet"

First N-3 Characters

   1    |   2    |   3    |   4    |   5    |   6
--------+--------+--------+--------+--------+--------
 abcdef | ghikmn | oprswz | AEFHLY | 234678 | +,-/?^


Last 3 Characters

            1 or 4 | 2 or 5 | 3 or 6
if 1 or 4:         |  odd   |  even
if 2 or 5:   odd   |        |  even
if 3 or 6:   odd   |  even  |
-------------------+--------+--------
            AEFHLY | 234678 | +,-/?^

Ending thoughts

A big motivation for me making this password generation system was because I needed to reinstall parts of the operating system on my desktop computer and I was at a high risk of losing access to some important passwords if I didn't write them down. Writing down the passwords was an absolute pain in the butt, especially because of ambiguous characters and password lengths. It was hard enough writing my passwords down correctly, double triple, and quadruple checking that I wrote them correctly, but I also had to make sure that I could read what I wrote down well enough to type the passwords back into my computer correctly. The passwords were generally way too long, way too ambiguous, and prone to the "telephone game" issue.

This system fixed that for me. It took a little while to generate all of my new passwords and replace my old passwords with them, but I'm much happier knowing I can backup my passwords on a piece of paper if I need to again or generate passwords offline and in an analog manner. The rules are simple enough that they can fit on a business card. In fact, I redesigned my business card to have this system's rules on the back and plan to get them printed soon. Below is an image of the back of my business card design: