Q: Are passphrases really more secure than cryptographically random passwords? 🤔
I have to wonder… It should be possible to do “passphrase” attacks just like “dictionary” attacks? How is a “phrase” any different to the character set you can type? Sure there are more possible “words” (at least) in the English language, but I’m not convinced.
@firstname.lastname@example.org They can be more secure or not. It depends on how long it is, just like a string of random characters. You can also add some random special characters into the passphrase to throw off an attacker.
The main benefit of a passphrase is the relative ease at which it is memorized. A good, long passphrase with a couple of special characters thrown in is quite secure. The list of words that you made your passphrase out of might be public, but the attacker probably doesn’t know which one you used unless you tell him.
passwords for the most part are dead. high-entropy bit mnemonics are the way.
have a look at the bip-39 spec. theoretically unbreakable given a proper implementation. the caveat is many services don’t allow for a
charset > 50 which forces the consumer to reduce entropy bits by way of varchar constraints.
while a passphrase or mnemonic with a length of 8 words ie:
red glue seven wifi belief bacon zebra pipe is rather strong, it’s also the sequence of the words that contribute to the breakage. if you were to set
prologic builds software that needs some maintainers today this would be simpler in theory to crack since the progression of words forms a common speech pattern which can be brute forced easier.
this would make a good friday call
I believe the benefit/risk calculation is that a passphrase is more memorable to users then a random string of alnum + symbol. i can remember the 20-30 chars in a passphrase quicker and longer than a 8-10 random.
ultimately they hold nowhere near the benefit of passphrase + MFA
I use long passphrase. I keep them in my password manager and if I need to type them, it is much easier to type.
@email@example.com yep, I was going to share the bip-39 spec, thanks for pointing it out. A regular passphrase, like taking a random quote from a book is not ideal, perhaps the equivalent to using ‘password123’
I switched from using long random passwords like
They are easier to type, and have similar entropy (if used correctly)
As @firstname.lastname@example.org says, the real problem is with
allowed_chars <= 50 even for long passwords or simpler passphrases, which is stupid since the hashed password uses the same amount of chars. Perhaps allowing up to 100 or 200 chars is good enough, and maybe rejecting some special characters like emojis, no idea.
@eaplmx indeed and thank you for unpacking further. your use of mnemonics is a good substitute for complex long passwords (still better than
and if you have issues with typing, some form of password manager is helpful. unless of course it’s your luks partition or something else then you should burn this into the cortex.
@email@example.com of course, mfa goes without saying. passphrase+mfa wins every time. i was delving more into the cryptography and mathematics behind it coming from a lot of research in this area. but point well received.