Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

  • @frogmint@beehaw.org
    link
    fedilink
    59 months ago

    https://bitwarden.com/password-strength/

    Test it here. Passphrases of 3 words take centuries to crack, without any numbers or capital letters. Passwords with numbers, capital letters, and symbols need ~14 characters to be that secure. If you need to memorize it, a passphrase is far superior. Add in a number, or random capitalization, or a misspelling and your security goes even higher.

    • @AndrasKrigare@beehaw.org
      link
      fedilink
      89 months ago

      One caveat I’d want to note is for the underlying methodology that uses:

      As this study by Joseph Bonneau attests, people frequently choose common phrases in addition to common words. zxcvbn would be better if it recognized “Harry Potter” as a common phrase, rather than a semi-common name and surname. Google’s n-gram corpus fits in a terabyte, and even a good bigram list is impractical to download browser-side, so this functionality would require server-side evaluation and infrastructure cost. Server-side evaluation would also allow a much larger single-word dictionary, such as Google’s unigram set.

      As another example, the passphrase “This password is good” is claimed to take centuries to crack, but if the search space were narrowed down from a sequence of words to grammatically correct sentences, certain passphrases would be much weaker than this would show.

      • @Schlemmy@lemmy.ml
        link
        fedilink
        29 months ago

        You should indeed use a password manager to randomize the generated password phrases. Bitwarden adds capitals, numbers and other characters to the password phrases.