This 11-year-old is selling cryptographically secure passwords for $2 each

[Batu69]

Girl makes Diceware passwords, rolled with real dice, written by hand, sent by mail

Watch out, NSA. Mira Modi is helping everyone use better passwords.

We now live in a world where a New York City sixth grader is making money selling strong passwords. Earlier this month, Mira Modi, 11, began a small business at dicewarepasswords.com, where she generates six-word Diceware passphrases by hand.

Diceware is a well-known decades-old system for coming up with passwords. It involves rolling actual six-sided dice as a way to generate truly random numbers that are matched to a long list of English words. Those words are then combined into a non-sensical string ("ample banal bias delta gist latex") that exhibits true randomness and is therefore difficult to crack. The trick, though, is that these passphrases prove relatively easy for humans to memorize.

"This whole concept of making your own passwords and being super secure and stuff, I don’t think my friends understand that, but I think it’s cool," Modi told Ars by phone.

Modi is no ordinary sixth-grader, either. She’s the daughter of Julia Angwin, a veteran privacy-minded journalist at ProPublica and author of Dragnet Nation.

As part of her research for the book, Angwin employed her daughter to generate Diceware passphrases, and Modi had the idea to turn it into a small business. She began accompanying her mother on various book-related events and selling passwords that she generated on the spot—dice and all. But in-person sales were slow.

"I wanted to make it a public thing because I wasn’t getting very much money," she said. "I thought it would be fun to have my own website."

Each time an order comes in, Modi rolls physical dice and looks up the words in a printed copy of the Diceware word list. She writes—by hand—the corresponding password string onto a piece of paper and sends it by postal mail to the customer. (Full disclosure: I ordered two.)

If she kept busy at it full-time, Modi would be raking in about $12 per hour—fully one-third more than New York state’s $8.75 minimum wage, which is set to go up to $9.00 on December 31, 2015. As of now, she said she’s sold "around 30" in total, including in-person sales.

Modi admitted that she’s unique among her circle of friends, whom she says not only pick simple passwords for their social media accounts but also routinely share them with each other.

"I think [good passwords are] important. Now we have such good computers, people can hack into anything so much more quickly," she said. "We have so much more on our social media. We post a lot more social media—when people hack into that it’s not really sad, but when people [try to] hack into your bank account or your e-mail, it’s really important to have a strong password. We’re all on the Internet now."

Crafting passwords the old-fashioned way

When she’s not studying or making Diceware passwords, Modi spends her time doing gymnastics and dancing. As she grows up, she may have a future in cryptography and operational security. "I think it would be really cool to learn more about digital security," she said. "I think it would be really cool to learn more about hacking."

Plus, she understands a crucial security concept about passwords that most adults do not. "If you just make one up," she told us, "it’s not going to be a very good one."

Remember what Edward Snowden said in his initial e-mail to Laura Poitras: "Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second."

Indeed, Micah Lee, the technologist for The Intercept, who has written extensively about Diceware passphrases, is impressed.

"This is one of the great things about high-entropy passphrases, that sixth graders can easily grasp the concept and memorize them," he told Ars by e-mail. "The math is very simple. Even if you don’t understand how to use logarithms to calculate how many bits of entropy your passphrase is, you can tell that each word you add to your passphrase, out of a stack of paper worth of words, makes it exponentially less guessable, but it’s still not very hard to memorize."

And what does the creator of Diceware himself make of all of this?

"I am tickled to hear this, and no, I haven’t heard of anything like it before," Arnold Reinold told Ars.

"Obviously from a security perspective it is much better to generate your own Diceware passphrase in private, but it is unlikely she is working for the bad guys, and any effort to publicize the importance of strong passwords is for the good," he continued. "I just hope she isn’t sending the generated passphrases to her customers by e-mail or storing them on her computer. I wish her well."

Of course, she’s got those concerns covered.

"People are worried that I will take your passwords, but in reality I won’t be able to remember them," she told Ars. "But I don’t store them on any computer anywhere. As far as I know there is only one copy of your password."

As she reminds customers on her website: "The passwords are sent by US Postal Mail which cannot be opened by the government without a search warrant."

Source

[Ballistic Gelatin]

This kid has got a great future as an entrepreneur.

[hawk007]

selling cryptographically secure passwords

Cryptographically secure or not, she and the company obviously keep the record to whom and what password they sent. This is indeed a silly hole in the entire process.

Better stick with my PRNG based password generators for all my need. :)

[CODYQX4]

How long before the list is sold to NSA or hackers for big bucks?

[steven36]

More like how long before the hackers get the list and sell it on Ebay .. NSA don't need a list its the law that with a court order they have to give them info. Now they to get it passed even you use encryption they have unlock that too.

[Holmes]

She mentions the passwords are not stored on any computer and she cant steal them she wont be able to remember them (Im a totally different story I could remember them I remembered a close friend of mines cell phone number before he did). As long as there on paper hand written the only way hackers can get them is to break into her house and steal the papers hand written not stored on a computer makes the passwords virtually unhackable. Diceware can be done by anyone why pay her two dollars for a password you can create yourself using the same method.

[CODYQX4]

She mentions the passwords are not stored on any computer and she cant steal them she wont be able to remember them (Im a totally different story I could remember them I remembered a close friend of mines cell phone number before he did). As long as there on paper hand written the only way hackers can get them is to break into her house and steal the papers hand written not stored on a computer makes the passwords virtually unhackable. Diceware can be done by anyone why pay her two dollars for a password you can create yourself using the same method.

"I won't remember them, and there's just no way I can write them down, right?"

[Holmes]

True she can write peoples passwords down to steal them what would she have to gain from doing this selling them on the black market shes only eleven years old I doubt she would bbe interested in being a con-artist.

[oliverjia]

whoever buy the password so-generated is stupid enough to get their account hacked sooner or later.

There are numerous free, open source tools to generate truly random passwords/passphrases that one can use.

[CODYQX4]

True she can write peoples passwords down to steal them what would she have to gain from doing this selling them on the black market shes only eleven years old I doubt she would bbe interested in being a con-artist.

Not personally attacking her or calling her a scam artist, but the idea of buying the password for serious use, instead of just dropping a couple dollars in some kid's candy fund, is not a good idea.

[funkyy]

Why not just think of 6 different moments/events in your life, choose a word that appears or is associated with that moment, maybe a colour, a shape, an emotion, an adjective etc etc. Write them down on a piece of paper and memorize them.

I don't see the point in trying to be secure if you immediately start by getting another person (honest kid or not) to create and potentially record your passport..duh!!!! :D :D :D