Unique usernames with diceware

No thoughtDiceware created by Arnold G. Reinhold is a technique for generating random, yet memorizable passwords. The method uses 5 d6 dice and a table of 7776 (6 ^ 5) words. By choosing entries from the list through repeated rolls of the dice, the entropy (or randomness) of the password increases in a consistent manner.

For example, when I rolled 31233 63132 33256, I got the phrase is “gino vicar horse” Three rolls is considered a weak password, so I would use more rolls for a password.

A person that uses the Diceware algorithm to select passwords overcomes their limited capability to be truly random. Because Diceware lists contain words from a familiar language, the generated passwords are easier to remember.

In addition to using Diceware to create passwords, it may can create random usernames or email addresses.

On most services, you can find me by searching for a couple of specific usernames. If I had been conscious of that, I might have picked other usernames more often. The Diceware list makes it easy to pick a unique username with two or three throws of the 5 dice and concatenating the words together. If I wanted, I could pick “ginovicarhorse” as my handle on reddit.

One tradeoff is needing to remember both the user name and passphrase instead of just the passphrase. Although it is possible to use IP addresses, MAC addresses and other techniques to connect the different users, unique user names will limit how many groups have that capability.

In circumstances where one wants to create one-off email addresses, Diceware’s word list can generate them as well. Free email hosts such as Google and Yahoo may have this behavior off the radar of their Terms of Service. Owning a domain with a catch-all destination can also support unique email addresses.

I’m confident that I don’t know all of the issues involved in creating unique email addresses. The obvious consequences of unique email addresses are mixed.

On one hand, you can separate your contacts into groups that do not know of the connection. Another use would inhibit the association of a person’s different devices with each other by using a different account with each device.

Negative consequences include that checking multiple addresses is tedious. A email client such as Thunderbird can check them all but has its own tradeoffs. Having different devices registered with different owners defeats the ability to sharing Google’s services between the devices.

Not being able to share Hangouts, YouTube, the Play Store and Google Drive between the devices is probably too onerous of a cost in most cases. Purchases made on one device won’t be available on the others.

It’s easier to justify unique usernames. Even choosing from a broader set of standard usernames than the one or two I have right now would make sense. They would improve anonymity with little cost.