Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

  • xmunk@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    I use a leetified (using my own custom flavor) passphrase as my master password - I can type it really quickly and it’s obscure as hell so I’m happy with it.

  • Kahnares@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    9 months ago

    I use passphrases for frequently used logins and randomly-generated passwords of varying lengths for everything else. I also use a hardware key and/or 2FA for everything that allows it.

    I’m conversationally fluent in a few different languages (enough to order food, greet people and ask directions to the shitter, anyway) and I can swear in another half-dozen languages so I tend to mix’n’match my passphrases with different foreign words. Bonus points for accented characters. That’s probably not gonna fool a dictionary-based attack but since I live in a (mostly) English-speaking country, it might make it interesting for the English-only speakers to try guessing.

    At work, we’re held to the outdated policy set by the IT department so it can be difficult to be creative. On top of that, they force a password change whenever someone sneezes so I see a lot of sticky notes on monitors and under keyboards.

    Edit: spelling and grammar.

    • acetanilide@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      I once had to change a password every 30 days.

      And it couldn’t be a password I’d used before. Along with ridiculous requirements (but not as ridiculous as the 30 day thing).

      You’d think it was a password to get into the NSA’s database or something.

      Nope, just a (not very) random website.

  • deranger@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    9 months ago

    can passphrase reach the strength of a good password

    Relevant xkcd: https://xkcd.com/936/

    I’d love to hear from someone well versed in security if this is legit or significant weaknesses exist, but the math seems to check out as far as I can tell.

    • foggy@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      9 months ago

      For what a civilian target would worry about, using sufficiently long passwords is your best defense. Complexity is barely important.

      111111111111111111111111111.1111 is an excellent password.

      Everyone should Ctrl+f their password here. But also wait the 10 minutes it’ll take to load the whole thing.

      If your pw is on this list, change it immediately.

      If it’s less than 8 chars? Change immediately. If it’s less than 10 chars? Change… Now.

      If it’s less than 14 chars, consider just making your password longer.

      This advice will save more people in its simplicity than saying more.


      Want a smidge more?

      If you’re paranoid, take a password that you think is decent, then insert it here, then use the output as your password.

      Most times, pws aren’t stored in plain text, they’re stored using that algorithm. So, if your password is ‘password’, hackers night easily be able to see that your passwords encrypted value is exactly what that link will output if you put in ‘password’. If your password is on that huge list from the beginning of the post, they can easily decrypt the encrypted password, because these passwords’s hashes are known.

      So, use the hash itself as a password.

      Hell, throw a comma at the beginning to throw it off.

      • ∟⊔⊤∦∣≶@lemmy.nz
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        using sufficiently long passwords is your best defense

        No, using 2FA is your best defense, along with wise recovery questions. It matters nothing if you know someone’s password, but can’t get the 2FA code.

    • sylver_dragon@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      That’s basically a Diceware passphrase. And, it’s kinda ok. The amount of entropy is pretty significant (close to what the comic lists, if the Wikipedia article has it right). And it’s really easy to add more entropy. I often recommend passphrases to my users (I work in Cybersecurity) and use them myself. Take a sentence, with spaces, capitals and punctuation. Now throw in a few numbers for fun and stop worrying about brute force attacks, until some idiot decides unsalted MD5 is perfectly fine for storing passwords. Most such passphrases will blow right past the 4 words in that comic and are very easy to remember. Even better, make that the passphrase for your password vault (oh look a plug for KeePass). Then have the rest of your passwords all be unique, 20 character jumbles of letters, numbers, and special characters.

      Also, enable Two-Factor Authentication (2FA) wherever possible. Even if it’s just a One Time Password (OTP) sent via SMS (which is a shit way to do 2FA), that’s better than no 2FA.

    • Corroded@leminal.space
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      I feel like you could still run into the issue of dictionary attacks. For example before it brute forces it’s way to the word horse it might just try the word horse.

      • birdcat@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        i also dont really get it. the bitwarden pw tester says it will take 14 years to crack “its.a.beautiful.day”, write beautiful with 2 t`s and it will take “centuries”? 🧐

        but yes i still use them. but always with numbers and random characters in between and words from multiple languages or fantasy words.

        • dzaffaires@sh.itjust.works
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          9 months ago

          That would be because the pattern on the first password are correctly spelled words and the way passwords are cracked offline (when there’s a leak of data being sold somewhere) is that they use dictionary attacks.

          This means that a big file containing all known words, and can also include known used passwords from past leaks, is used to try a lot of combinations. A combination of good words that appear 1:1 in these word lists will score way lower in terms of difficulty for a computer to crack. A simple script can add spaces and periods (like your example) between words and they WOULD get your password. By adding only one random character that doesn’t fit a pattern (just like your second ‘t’), you basically force the cracker to try all possible combinations of all characters for the length of your password, which is WAY more difficult.

          TLDR: There are more combinations of aaaaaaa, aaaaaab, aaaaaac then there are of matching words together for the same length of password (one.one, one.two, one.three)

          • 4am@lemm.ee
            link
            fedilink
            arrow-up
            0
            ·
            9 months ago

            In other words, don’t use “correct horse battery staple” because that’s probably in every word list by now

          • birdcat@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            9 months ago

            but even 14 years seems long for a pharase that is said and written millions of times per day. and if those crackers can make billions of guesses per second how can they not guess both variants within minutes?

            related question. how to make a good password bettter? adding a few extra special symbols like “µ£₹” or one long word like “freshwatercrocodiletesticles”?

      • NaN@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        9 months ago

        Because a hash doesn’t work like a password cracker in a movie. It can try horse, but unless it gets the whole thing correct it doesn’t know any individual part of it.

      • 4am@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        If your services are storing passwords properly with a salt, dictionary attacks (including rainbow tables) are just as time-consuming to perform, since the salt renders each password hash unique; even for the same passwords.

        So the same principle still stands; the longer your password, the longer to guess - as long as the encryption-at-rest is done correctly.

      • saigot@lemmy.ca
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        9 months ago

        Dictionary attacks have been around for a long time, but It’s still quite strong especially if you throw in a number.

        A fully random 8 character password has about 10^14 brute force combinations (assuming upper and lower case + the normal special characters). 4 words choosen at random from the top 3000 words (which is a very small vocabulary really) is 10^13 dictionary attack combinations, add a single number or account for variations in word style (I.e maybe don’t always use camel case) and you’ve matched the difficulty. If you use 5 words it’s 10^17 combinations.

        (This is basicly copy pasted from a comment I made earlier)

      • Zagorath@aussie.zone
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 months ago

        In the linked comic, Munroe assumes an attacker knows your method. The attacker isn’t brute forcing character-by-character, but word-by-word, with an attacker who already knows you’re using 4 random words.

    • Zagorath@aussie.zone
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      Best I can find,

      According to security.org survey data, in 2021, 22% of Americans said they used a password manager, but in 2023, the percentage increased to 34% with a further 10% of users saying they use a security passkey or other physical password device.

      So in the most generous interpretation of that, just over half of people are not doing anything secure.

  • death is close@procial.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    @Wistful@discuss.tchncs.de Why would the passphrase being long defeat the purpose of using it. That’s half the purpose of using passphrases.
    Make sure to use made up words or proper nouns and put a pin in an unexpected place. That’s an easy way to change it without replacing the whole passphrase

    • Wistful@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      I was thinking it would be easy to brute force if just instead of guessing character by character you do word by word…but I guess just adding one special character randomly would make it a non issue.

      • Revan343@lemmy.ca
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        There are a lot more words than there are characters, even including special characters, so if it is actually randomly generated from a large dictionary, a passphrase is much harder to guess

  • hallettj@leminal.space
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    Yes, I use passphrases for stuff like my password manager, my computer login, and my disk encryption. For my login (which I type a lot) it’s four words; for occasional stuff like disk encryption it’s six. I’m sold on the argument that a passphrase is way easier to memorize compared to a comparably-secure random password.

    The number of possible passphrases is the number of words in the dictionary you use to generate passphrases raised to the power of the number of words in your passphrase (assuming a small chance of reusing the same word in a passphrase). I use this command to generate a random phrase using my stock OS word list:

    grep -v '[^a-z]' $WORDLIST | shuf --random-source=/dev/urandom | head -n5 | paste -sd ' '
    

    grep -v '[^a-z]' $WORDLIST filters out words with apostrophes or other weirdness. On my system the filtered list is 77,866 words.

    For four words, 77,866 ^ 4 ≈ 3.7 × 10^19 possible passphrases.

    Compare that to randomly-generated passwords. I’ll assume that random lowercase & uppercase letters, numbers, and symbols add up to 46 characters. The number of combinations is 46^n where n is the length of the password. A four-word passphrase is the same order of magnitude as secure as a 12-character password, which has about 9 × 10^19 possible combinations.

    I’m sure that if you make up your own passphrases instead of randomly generating them then the security is much lower.

    • mlaga97@lemmy.mlaga97.space
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      Very similar heuristic here, insofar as when to use passphrases and how long.

      LUKS and Bitlocker volumes get 8 words, computer logins usually get 4 words (potentially more depending on frequency/criticality of system).

      Smartcards and mobile devices do have numeric pins due to frequency of use and relative difficulty in copying those for offline attacks.

      Websites that are filled in w/ password manager get passwords get the random symbol-laden strings that ‘meet requirements’

  • ∟⊔⊤∦∣≶@lemmy.nz
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    9 months ago

    Define ‘strength’… against a dictionary attack? Brute force? Social engineering? ‘forgotten password/recovery questions’ hack? Stolen session cookie? Keyloggers?

    If you’re not aware of the above, take some time to learn about each of those things and how good security practices counter each one.

    The question is kind of like, ‘can you bake a cake?’ … probably yes, but it’s really missing a lot of essential information, like what kind of oven, what ingredients do you have, what’s your skill level, do you have arms, etc.

    Any ‘passphrase’ can be secure or insecure, depending on the other surrounding factors. 2FA solves many security weaknesses.

    • Zagorath@aussie.zone
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      forgotten password/recovery questions

      This is the security industry’s dirty little secret that doesn’t get talked about in public enough.

      All the excellent security on a site, including complex passwords, perfectly secure storage of a salted hash of that password, multifactor authentication using TOTP, etc., is completely moot if someone can just hit “I forgot my password” (or “I don’t have my second factor”) and bypass it by doing an email loop. You instead rely on the security of the user’s email account.

  • sloppy_diffuser@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    9 months ago

    Disk encryption, computer login, and password manager are pass phrase + random characters stored on a pin protected OnlyKey and/or Mooltipass.

    Regular passwords are just random characters up to min(max_len, 128).

  • electric_nan@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    Use diceware to generate a nice long nonsense passphrase, and use that for your password manager master password. Keep it written down somewhere until you are sure you’ve memorized it.

  • edric@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    I do. It’s worth it because there are some sites that are so outdated that their version of security is to not allow pasting (or filling in via pw manager) on password fields, so I have to manually type them in. Typing in a passphrase is easier and faster than a random string.

  • DudeDudenson@lemmings.world
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    I found it amusing when the security team in my company sent me parts of my password in plaintext saying it was insecure (because it didn’t have special characters in it) and recommended I use a password manager

    The account is used for the ancient VPN software and all of our ssh management tools

    And windows login if you’re using windows.

    Yeah good luck using a randomly generated password that you have to type in multiple times everyday

    • sylver_dragon@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      The account is used for the ancient VPN software and all of our ssh management tools

      And windows login if you’re using windows.

      If you’re using one password for all those things, you’re doing it wrong. Even if the passphrases you pick are easy to remember and type, they should be distinct.

  • Vanth@reddthat.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    Yep, I use phrases for passwords like for managers and phones. I craft them not just for ease of remembering, but also ease of typing. I don’t care that it’s a really long phrase if I can type it quickly.

  • Imgonnatrythis@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    Ok, this is a reasonable community to ask. What’s a FOSS pword manager that is easy to use, reliable, likely to be around and working in 5 years, and won’t leave me feeling shit up a creek if my phone dies or I’m using a public terminal with software installation restrictions? Been a few years, but I had not found something that worked well for me.

    • Nix@merv.news
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      ProtonPass. They’re a company thats been around for a while now, has multiple revenue streams, and has a food track record on security and open sourcing.

      Another one is Bitwarden but iirc they only have the one revenue source although iirc its a tiny team so they dont need much

    • pixelscript@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 months ago

      What’s a FOSS pword manager

      There are probably more that these two out there but the two I know of that fit this bill are Bitwarden and KeePass. The latter comes in two flavors, the original KeePass that kinda looks like shit and tries to stay lean and defer niche features to plugins, and the fork KeePassXC that tries to give it a sleeker UX with more features natively baked-in. I will refer to both simply as “KeePass” for the rest of this comment.

      that is easy to use

      “Easy to use” is relative. If you’re savvy enough to know what FOSS software even is, to care about using it, and to find your way onto an experimental platform like Lemmy to ask about it, I’d say youre more than capable of handling either of the above choices with ease.

      reliable, likely to be around and working in 5 years

      I’d wager that on both Bitwarden and KeePass.

      and won’t leave me feeling shit up a creek if my phone dies or I’m using a public terminal with software installation restrictions

      Bitwarden offers free cloud hosting and a web interface. As long as you have access to a browser and an Internet connection, you have access to your Bitwarden key store.

      KeePass is offline-only and requires specialized client software to read its key store file format. Though, since all it is is a file, you can use simple and straightforward methods to make it accessible wherever you need it. Copy it to a flash drive. SCP it between devices. Put it on a cloud service like Dropbox. You have options. It’s just up to you to use them.

      Bitwarden also lets you save locally stored files and manage them like KeePass, if you’re into that.

      Honestly, since each can be made to more or less behave like the other, which one you pick largely comes down to taste. Bitwarden is more turn-key if you want cloud hosting, KeePass makes you work for it. Bitwarden is a company providing a premium service you can buy, while KeePass is a completely free project funded only by good will donations.

      I prefer KeePassXC, personally.

  • Captain Aggravated@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 months ago

    I do use a password manager, and a lot of my passwords are automatically generated piles of random ASCII.

    There are of course passwords I have to key manually a lot; especially the master key of my password database. I often use pass phrases for these. The ones I have to commit to memory, or even need to key manually reading with my eyes from my database, or in the case of my Wi-Fi passwords tell to other people, I make these fairly human readable/typeable. Trying to key lFqvC3]gI~l8p2V6TvTY&p in is a pain in the ass even in a font that renders that uppercase I and lowercase L as different glyphs. Something like corrEct_horse battery staPle, well I worked in an underscore and two capitals in something I can still touch type pretty effectively. Don’t use correct horse battery staple as a password; it’s burned.