Most people don't follow proper cybersecurity hygiene by creating strong passwords because doing so can be complicated and intimidating. Even if you use a password manager that generates passwords for you, you still need one complicated master password to access it, and losing that risks locking you out of your digital life. Similarly, if you use a physical security key like a YubiKey to access accounts you always need to have that on you and not break it.
Fun and secure — Launching this week, DiceKeys is a kit that's supposed to take a lot of the frustration out of creating (and preserving) a single master password. It consists of a plastic blue box and 25 dice that feature numbers and barcodes on them. After you shake the dice and drop them into the box, they'll fall into a bunch of slots and lock themselves in place. Scan the result using your camera into the DiceKeys web app, and the arrangement of the dice will be fed through a mathematical equation that returns a long, unguessable cryptographic key. DiceKeys then offers to use that cryptographic key as the basis for creating a random password for a password manager.
How it works — As Wired explains, the password the DiceKeys app creates can be used as the master password for a password manager. The app doesn't store the created key, but it can reproduce it when the dice box is scanned again if necessary. The number of possible permutations from the 25 dice with six sides each (around 2196 different possibilities) is "roughly as many possibilities as there are atoms in four or five thousand solar systems."
Don't move the dice — So long as you never move the position of the dice, you can always re-scan the box with your camera to re-create the same exact cryptographic key and subsequent password. DiceKeys is a permanent, offline solution to regenerate your master password even if you lose or forget it. Since the DiceKeys box is fairly large it's supposed to be harder to lose than a piece of paper that you might otherwise write your passwords on.
DiceKeys creator, Stuart Schechter, a computer scientist at the University of California, says any password created from the DiceKeys box cannot be reverse engineered to figure out the underlying key, as there are so many possibilities for how the dice-box could be configured that it would be nearly impossible to guess keys. There are some security concerns with the web app potentially being intercepted to collect generated keys, but he says iOS and Android apps are on the way that should address that. The web app doesn't store any keys or passwords that it generates.
The bigger picture — Of course, you could still lose the DiceKeys box, or drop it and throw the dice out of order. But Schechter says the box is sturdy, can withstand drops from the height of a tall human, is toddler-proof, and he's working on a fireproof steel version.
More importantly, he believes that the DiceKeys box could encourage more people to use a password manager who might otherwise be intimidated by the idea of losing their master password. It's not perfect, but it pushes people in the right direction.
The DiceKeys box is available for pre-order for $25 on Crowd Supply and is expected to ship in January of next year.