can passphrase reach the strength of a good password
Relevant xkcd: https://xkcd.com/936/
I’d love to hear from someone well versed in security if this is legit or significant weaknesses exist, but the math seems to check out as far as I can tell.
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
Looking for support?
Looking for a community?
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
can passphrase reach the strength of a good password
Relevant xkcd: https://xkcd.com/936/
I’d love to hear from someone well versed in security if this is legit or significant weaknesses exist, but the math seems to check out as far as I can tell.
For what a civilian target would worry about, using sufficiently long passwords is your best defense. Complexity is barely important.
111111111111111111111111111.1111 is an excellent password.
Everyone should Ctrl+f their password here. But also wait the 10 minutes it'll take to load the whole thing.
If your pw is on this list, change it immediately.
If it's less than 8 chars? Change immediately. If it's less than 10 chars? Change... Now.
If it's less than 14 chars, consider just making your password longer.
This advice will save more people in its simplicity than saying more.
Want a smidge more?
If you're paranoid, take a password that you think is decent, then insert it here, then use the output as your password.
Most times, pws aren't stored in plain text, they're stored using that algorithm. So, if your password is 'password', hackers night easily be able to see that your passwords encrypted value is exactly what that link will output if you put in 'password'. If your password is on that huge list from the beginning of the post, they can easily decrypt the encrypted password, because these passwords's hashes are known.
So, use the hash itself as a password.
Hell, throw a comma at the beginning to throw it off.
That's basically a Diceware passphrase. And, it's kinda ok. The amount of entropy is pretty significant (close to what the comic lists, if the Wikipedia article has it right). And it's really easy to add more entropy. I often recommend passphrases to my users (I work in Cybersecurity) and use them myself. Take a sentence, with spaces, capitals and punctuation. Now throw in a few numbers for fun and stop worrying about brute force attacks, until some idiot decides unsalted MD5 is perfectly fine for storing passwords. Most such passphrases will blow right past the 4 words in that comic and are very easy to remember. Even better, make that the passphrase for your password vault (oh look a plug for KeePass). Then have the rest of your passwords all be unique, 20 character jumbles of letters, numbers, and special characters.
Also, enable Two-Factor Authentication (2FA) wherever possible. Even if it's just a One Time Password (OTP) sent via SMS (which is a shit way to do 2FA), that's better than no 2FA.
My cybersecurity prof at uni showed us this xkcd during class lol
most people use password managers
You don’t know many boomers, do you?
According to security.org survey data, in 2021, 22% of Americans said they used a password manager, but in 2023, the percentage increased to 34% with a further 10% of users saying they use a security passkey or other physical password device.
So in the most generous interpretation of that, just over half of people are not doing anything secure.
Yes, I use passphrases for stuff like my password manager, my computer login, and my disk encryption. For my login (which I type a lot) it's four words; for occasional stuff like disk encryption it's six. I'm sold on the argument that a passphrase is way easier to memorize compared to a comparably-secure random password.
The number of possible passphrases is the number of words in the dictionary you use to generate passphrases raised to the power of the number of words in your passphrase (assuming a small chance of reusing the same word in a passphrase). I use this command to generate a random phrase using my stock OS word list:
grep -v '[^a-z]' $WORDLIST | shuf --random-source=/dev/urandom | head -n5 | paste -sd ' '
grep -v '[^a-z]' $WORDLIST
filters out words with apostrophes or other weirdness. On my system the filtered list is 77,866 words.
For four words, 77,866 ^ 4 ≈ 3.7 × 10^19 possible passphrases.
Compare that to randomly-generated passwords. I'll assume that random lowercase & uppercase letters, numbers, and symbols add up to 46 characters. The number of combinations is 46^n where n is the length of the password. A four-word passphrase is the same order of magnitude as secure as a 12-character password, which has about 9 × 10^19 possible combinations.
I'm sure that if you make up your own passphrases instead of randomly generating them then the security is much lower.
Very similar heuristic here, insofar as when to use passphrases and how long.
LUKS and Bitlocker volumes get 8 words, computer logins usually get 4 words (potentially more depending on frequency/criticality of system).
Smartcards and mobile devices do have numeric pins due to frequency of use and relative difficulty in copying those for offline attacks.
Websites that are filled in w/ password manager get passwords get the random symbol-laden strings that 'meet requirements'
correct horse battery staple?
I made a passphrase for my laptop in bitwarden and didn't think I'd remember the 10 word passphrase but after a few days of typing it I now remember it. All other alphanumeric passwords I would need a keyboard in order to type it out if I remember
I use passphrases for frequently used logins and randomly-generated passwords of varying lengths for everything else. I also use a hardware key and/or 2FA for everything that allows it.
I'm conversationally fluent in a few different languages (enough to order food, greet people and ask directions to the shitter, anyway) and I can swear in another half-dozen languages so I tend to mix'n'match my passphrases with different foreign words. Bonus points for accented characters. That's probably not gonna fool a dictionary-based attack but since I live in a (mostly) English-speaking country, it might make it interesting for the English-only speakers to try guessing.
At work, we're held to the outdated policy set by the IT department so it can be difficult to be creative. On top of that, they force a password change whenever someone sneezes so I see a lot of sticky notes on monitors and under keyboards.
Edit: spelling and grammar.
I once had to change a password every 30 days.
And it couldn't be a password I'd used before. Along with ridiculous requirements (but not as ridiculous as the 30 day thing).
You'd think it was a password to get into the NSA's database or something.
Nope, just a (not very) random website.
I do. It's worth it because there are some sites that are so outdated that their version of security is to not allow pasting (or filling in via pw manager) on password fields, so I have to manually type them in. Typing in a passphrase is easier and faster than a random string.
For my personal life I use a password manager, like most people in this thread. For my master password I really want a secure password (LastPass really reinforced the value of that), so I use a passphrase that is then hashed using an algorithm I can do in my head, so it's a long string of high entropy alphanumeric gibberish that I can remember easily.
At work my IT dept seems to be stuck 10 years in the past, so they have now implemented a policy that our passwords must be at least 16 characters. They keep ignoring my suggestions to get some form of corporate password manager, so I have my work passwords stored in a text file that I'm not allowed to have any form of file encryption so it just sits there in my documents folder. It's probably not going to be the source of our company getting penetrated, but I don't consider it secure.
I do like pass phrases because I find them easy to remember, but my current prime work one is really easy to make typos, so I now use the reveal password button more than I ever have before.
At work, if you have the option, consider using KeePassXC or similar software. That will give you a properly encrypted file with secrets and also password-manager features.
I use an open source password manager and long random passwords for most things.
my master password is a long phrase though, as well as any I have to type personally sometimes. passphrases are so much easier to type as well
I found it amusing when the security team in my company sent me parts of my password in plaintext saying it was insecure (because it didn't have special characters in it) and recommended I use a password manager
The account is used for the ancient VPN software and all of our ssh management tools
And windows login if you're using windows.
Yeah good luck using a randomly generated password that you have to type in multiple times everyday
Isn't the bigger issue here that they can see the plaintext password?
Yeah I actually gave them shit about it and they just handwaved it away
The account is used for the ancient VPN software and all of our ssh management tools
And windows login if you’re using windows.
If you're using one password for all those things, you're doing it wrong. Even if the passphrases you pick are easy to remember and type, they should be distinct.
Disk encryption, computer login, and password manager are pass phrase + random characters stored on a pin protected OnlyKey and/or Mooltipass.
Regular passwords are just random characters up to min(max_len, 128)
.
I use a passphrase in order to get into my password manager, but that's it. Because my password manager handles all the rest of them and makes it way more random than I could ever dream of.
Bitwarden can generate password phrases. Some other password managers too. In the occasion you have to type out your password a password phrase is a lot easier.
I do use a password manager, and a lot of my passwords are automatically generated piles of random ASCII.
There are of course passwords I have to key manually a lot; especially the master key of my password database. I often use pass phrases for these. The ones I have to commit to memory, or even need to key manually reading with my eyes from my database, or in the case of my Wi-Fi passwords tell to other people, I make these fairly human readable/typeable. Trying to key lFqvC3]gI~l8p2V6TvTY&p in is a pain in the ass even in a font that renders that uppercase I and lowercase L as different glyphs. Something like corrEct_horse battery staPle, well I worked in an underscore and two capitals in something I can still touch type pretty effectively. Don't use correct horse battery staple as a password; it's burned.
I'm a big car guy so I typically use car makes and models but never ones I actually own, usually I'll go with some like SubaruImprezaWrxSti2012 except I scramble the order of the words and throw the year in a random position. This is really easy to remember while also being long and insane enough to be difficult to guess.
https://bitwarden.com/password-strength/
Test it here. Passphrases of 3 words take centuries to crack, without any numbers or capital letters. Passwords with numbers, capital letters, and symbols need ~14 characters to be that secure. If you need to memorize it, a passphrase is far superior. Add in a number, or random capitalization, or a misspelling and your security goes even higher.
One caveat I'd want to note is for the underlying methodology that uses:
As this study by Joseph Bonneau attests, people frequently choose common phrases in addition to common words. zxcvbn would be better if it recognized "Harry Potter" as a common phrase, rather than a semi-common name and surname. Google's n-gram corpus fits in a terabyte, and even a good bigram list is impractical to download browser-side, so this functionality would require server-side evaluation and infrastructure cost. Server-side evaluation would also allow a much larger single-word dictionary, such as Google's unigram set.
As another example, the passphrase "This password is good" is claimed to take centuries to crack, but if the search space were narrowed down from a sequence of words to grammatically correct sentences, certain passphrases would be much weaker than this would show.
You should indeed use a password manager to randomize the generated password phrases. Bitwarden adds capitals, numbers and other characters to the password phrases.
Use diceware to generate a nice long nonsense passphrase, and use that for your password manager master password. Keep it written down somewhere until you are sure you've memorized it.