Hypha Spike: Diceware
Pulled out from Hypha Spike: DAT 1.
Design
![Screenshot of the completed spike in the browser: Domain: ar.al Password: chive cartwheel attire headlamp approach alphabet splendid deceptive. There is a button labeled “Change”. Underneath, the generated public signing key, private signing key, public encryption key, and private encryption key are listed in form fields. The footnote reads that the password generation process has 100 bits of entropy and would take roughly a few hundred million years to brute force with government-level resources. It also says that the generated keyse are Ed25519 (signing) and Curve25519 (encryption)](spike-screenshot.jpeg)
Screenshot of the completed spike.
-
Use Diceware for passphrase generation to ensure a high-entropy process.
-
Use budo in the spikes to enable lightweight use of bundling/modules/etc.
Postmortem
Pulled this out into its own Spike so that it doesn’t clutter the DAT 1 spike.
Starting with the Aspect Setup 1 spike, in this spike I:
-
Refactored to use budo so I can use requires, etc.
-
Was getting an error in budo due to Chokidar on Linux:
Error: Cannot find module 'fsevents' from '…/node_modules/chokidar/lib'
Ended up upgrading dependencies for budo (pull request) and also squashing this error as the error is in error (pull request). We will, of course, not be using budo in production but it’s fine for the purposes of this spike.
-
Started generating passphrases using Diceware and EFF’s New Wordlists for Random Passphrases
References
- xkcd: Password Strength
- Excellent explanation of above xkcd. Quote: “Security at the expense of usability comes at the expense of security.” – AviD
- Passphrases that you can memorize — but that even the NSA can’t guess
- Diceware (Source code)
- EFF’s New Wordlists for Random Passphrases
- eff-diceware-passphrase