this post was submitted on 19 Mar 2024
77 points (94.3% liked)

Asklemmy

43736 readers
1122 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 17 points 7 months ago (1 children)

Yes, I use passphrases for stuff like my password manager, my computer login, and my disk encryption. For my login (which I type a lot) it's four words; for occasional stuff like disk encryption it's six. I'm sold on the argument that a passphrase is way easier to memorize compared to a comparably-secure random password.

The number of possible passphrases is the number of words in the dictionary you use to generate passphrases raised to the power of the number of words in your passphrase (assuming a small chance of reusing the same word in a passphrase). I use this command to generate a random phrase using my stock OS word list:

grep -v '[^a-z]' $WORDLIST | shuf --random-source=/dev/urandom | head -n5 | paste -sd ' '

grep -v '[^a-z]' $WORDLIST filters out words with apostrophes or other weirdness. On my system the filtered list is 77,866 words.

For four words, 77,866 ^ 4 โ‰ˆ 3.7 ร— 10^19 possible passphrases.

Compare that to randomly-generated passwords. I'll assume that random lowercase & uppercase letters, numbers, and symbols add up to 46 characters. The number of combinations is 46^n where n is the length of the password. A four-word passphrase is the same order of magnitude as secure as a 12-character password, which has about 9 ร— 10^19 possible combinations.

I'm sure that if you make up your own passphrases instead of randomly generating them then the security is much lower.

[โ€“] [email protected] 3 points 7 months ago

Very similar heuristic here, insofar as when to use passphrases and how long.

LUKS and Bitlocker volumes get 8 words, computer logins usually get 4 words (potentially more depending on frequency/criticality of system).

Smartcards and mobile devices do have numeric pins due to frequency of use and relative difficulty in copying those for offline attacks.

Websites that are filled in w/ password manager get passwords get the random symbol-laden strings that 'meet requirements'