Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

  • hallettj
    link
    fedilink
    English
    139 months ago

    Yes, I use passphrases for stuff like my password manager, my computer login, and my disk encryption. For my login (which I type a lot) it’s four words; for occasional stuff like disk encryption it’s six. I’m sold on the argument that a passphrase is way easier to memorize compared to a comparably-secure random password.

    The number of possible passphrases is the number of words in the dictionary you use to generate passphrases raised to the power of the number of words in your passphrase (assuming a small chance of reusing the same word in a passphrase). I use this command to generate a random phrase using my stock OS word list:

    grep -v '[^a-z]' $WORDLIST | shuf --random-source=/dev/urandom | head -n5 | paste -sd ' '
    

    grep -v '[^a-z]' $WORDLIST filters out words with apostrophes or other weirdness. On my system the filtered list is 77,866 words.

    For four words, 77,866 ^ 4 ≈ 3.7 × 10^19 possible passphrases.

    Compare that to randomly-generated passwords. I’ll assume that random lowercase & uppercase letters, numbers, and symbols add up to 46 characters. The number of combinations is 46^n where n is the length of the password. A four-word passphrase is the same order of magnitude as secure as a 12-character password, which has about 9 × 10^19 possible combinations.

    I’m sure that if you make up your own passphrases instead of randomly generating them then the security is much lower.

    • @[email protected]
      link
      fedilink
      29 months ago

      Very similar heuristic here, insofar as when to use passphrases and how long.

      LUKS and Bitlocker volumes get 8 words, computer logins usually get 4 words (potentially more depending on frequency/criticality of system).

      Smartcards and mobile devices do have numeric pins due to frequency of use and relative difficulty in copying those for offline attacks.

      Websites that are filled in w/ password manager get passwords get the random symbol-laden strings that ‘meet requirements’