[syhprum (OP)]

I understand that to be safe from the really sophisticated code crackers one needs to generate a truly random password of say 20 alphanumeric characters.
could this be produced by shaking 17 dice 20 times and deducting 17 each time from the spot count.
would this be overkill or defenceless against thousands of GPU's

I calculate this would give 3.876*10^38 combinations but how truly random would it be ?

[RD]

Dice can be used as a truly random number generator ... http://en.wikipedia.org/wiki/Diceware

10 truly random characters* are sufficient for an on-line password , as cracking it by brute-force would take about ten million years with the speed of current technology ... 
 [ Invalid Attachment ]  
https://www.grc.com/haystack.htm

[ * upper case , lower case and numbers , definitely not containing a word in any dictionary ]

Trying to remember a truly random sequence is easier said than done.

[RD]

I understand that to be safe from the really sophisticated code crackers one needs to generate a truly random password of say 20 alphanumeric characters.
could this be produced by shaking 17 dice 20 times and deducting 17 each time from the spot count.
would this be overkill or defenceless against thousands of GPU's

I calculate this would give 3.876*10^38 combinations but how truly random would it be ?

Anything generated by fair dice will be truly random , (even if it were just one digit).

The search space for 20 alphanumeric characters (using upper and lower case) is 7.16 x 10³⁵
which would take trillions of years to crack offline via brute-force.

[CliffordK]

A few problems with passwords occur.

If you use the same password on all websites, then if one is cracked, then they are all cracked.  Always keep your core financial passwords different from something like a social media password.

However, if you have a dozen super-secure 20+ random character passwords, can you remember them all, or do they have to be written down?  How secure is your password tracking system?

What about password recovery systems?  Say you crack an e-mail system, then you send "recovery passwords" to that e-mail system.

[RD]

However, if you have a dozen super-secure 20+ random character passwords,
 can you remember them all, or do they have to be written down?

A possible solution ... use md5(password+salt)

so you can write down a password, say "thenakedscientists" and commit the salt* to memory, say BI4IS926SB

so although you've written the password down as "thenakedscientists" the real password is ...
   md5(password+salt)
= md5(thenakedscientistsBI4IS926SB)
= cf151b0faa504e1af002c609e4f18802

If you're fussy convert the md5 result [which is hexadecimal] to base 64 ...

 cf151b0faa504e1af002c609e4f18802 [hexadecimal] =  zxUbD6pQThrwAsYJ5PGIAg==  [base 64]

Base64 can include upper and lower case letters, numbers and [a few] special characters,
 and will be 24 characters long if the input is a 32 character hexadecimal number, (md5 result always is). 

[ * you should make the salt a long as possible , preferably 14+ random characters ]


If you're wearing a tin-foil hat, iterate the above process ...

key = ""
for 1 to 65536 do
  key = hash(key + password + salt)

http://en.wikipedia.org/wiki/Key_stretching

[CliffordK]

If you know the encoding system, then your two-level encryption is no benefit.

So, for example, some wireless routers had a "pass phrase" that one could use to generate a WEP key.  But, then, knowing the primary encoding of the WEP key, then one would only need to search for the pass phrase.

Hex, of course, looks cryptic, but of course only uses 16 distinct characters, numbers from 0 to 9, and letters a to f.
-

[RD]

If you know the encoding system, then your two-level encryption is no benefit.

Some passwords systems only allow 20 character passwords, (or less) ,
 in which case converting from hex to base64 would produce a more secure password.
 Truncating both to the first 20 characters ...
 cf151b0faa504e1af002     zxUbD6pQThrwAsYJ5PGI ,
the 20 character hexadecimal version has a much smaller search space ,
( Using the off-line "massive Cracking Array Scenario" : 20 character hex =>1 year , 20 character base64 => trillion centuries )

[evan_au]

Cracking a password with 20 alphanumeric characters is tough.
It is likely that an intruder would attack a more vulnerable part of the system, such as placing a keystroke recorder on your computer so it can forward the password to those wishing to monitor the communications.

[RD]

... an intruder would attack a more vulnerable part of the system ...

e.g. http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

[SimpleEngineer]

I would pay good money (well money anyway) for a USB that I carried around with me that..

a) created unique passwords for me
b) Remembered all passwords for all sites
c) changed that password each time i logged in
d) went on my key ring

Make this and you will make a fortune..

(A bit like the chip and pin machines you get from banks nowadays for internet banking)
 

[RD]

I would pay good money (well money anyway) for a USB that I carried around with me that..

a) created unique passwords for me
b) Remembered all passwords for all sites
c) changed that password each time i logged in
d) went on my key ring

a)  Keepass ,random.org , DuckDuckGo
b) Firefox sync (which is free), but personally I don't use it : I'd prefer to store and encrypt my passwords myself.   
c) N/A
d)


http://www.amazon.co.uk/gp/customer-media/product-gallery/B005SP91UW/ref=cm_ciu_pdp_images_2/276-8359459-9890748?ie=UTF8&index=2

[Pmb]

I understand that to be safe from the really sophisticated code crackers one needs to generate a truly random password of say 20 alphanumeric characters.
could this be produced by shaking 17 dice 20 times and deducting 17 each time from the spot count.
would this be overkill or defenceless against thousands of GPU's

I calculate this would give 3.876*10^38 combinations but how truly random would it be ?

If I were to take you litterally then I'd say the best way is to use a sample of radioactive material and set up around it a set of particle detectors, each of which stands for an alpha numeric character. Adjust the dosage so that the dectors will detect a particle every second or so. Since this is truly random the password generated by a sequence of such detections will be perfectly random.

[RD]

If I were to take you litterally then I'd say the best way is to use a sample of radioactive material and set up around it a set of particle detectors, each of which stands for an alpha numeric character. Adjust the dosage so that the dectors will detect a particle every second or so. Since this is truly random the password generated by a sequence of such detections will be perfectly random.

Someone has beaten you to it ... http://www.fourmilab.ch/hotbits/

[Pmb]

If I were to take you litterally then I'd say the best way is to use a sample of radioactive material and set up around it a set of particle detectors, each of which stands for an alpha numeric character. Adjust the dosage so that the dectors will detect a particle every second or so. Since this is truly random the password generated by a sequence of such detections will be perfectly random.

Someone has beaten you to it ... http://www.fourmilab.ch/hotbits/

They've hardly beaten me since I never expected anybody to think I originated the idea. I heard of this being done decades ago. My only goal here was to merely say what the best way to do it was.

[SimpleEngineer]

I would pay good money (well money anyway) for a USB that I carried around with me that..

a) created unique passwords for me
b) Remembered all passwords for all sites
c) changed that password each time i logged in
d) went on my key ring

a)  Keepass ,random.org , DuckDuckGo
b) Firefox sync (which is free), but personally I don't use it : I'd prefer to store and encrypt my passwords myself.   
c) N/A
d)


http://www.amazon.co.uk/gp/customer-media/product-gallery/B005SP91UW/ref=cm_ciu_pdp_images_2/276-8359459-9890748?ie=UTF8&index=2

LOL.. I did mean that it did it all with no input or interaction with myself other than putting in the slot (although for added layer of security a fingerprint scanner would be nice)

[RD]

LOL.. I did mean that it did it all with no input or interaction with myself other than putting in the slot ...

Having an entire Operating System on a USB stick would be close.
I have Puppy Linux OS on a USB stick which uses "heavy" encryption.
[ don't bother with "light" encryption on Puppy Linux ]

... a fingerprint scanner would be nice ...

I did see a USB memory stick with an inbuilt fingerprint scanner.
However if the the window on the fingerprint-scanner got sufficiently scratched it wouldn't be able to recognise your fingerprint and you'd be locked out.