Yarn

Recent twts in reply to #ji42lkq

Q: Are passphrases really more secure than cryptographically random passwords? 🤔

I have to wonder… It should be possible to do “passphrase” attacks just like “dictionary” attacks? How is a “phrase” any different to the character set you can type? Sure there are more possible “words” (at least) in the English language, but I’m not convinced.

⤋ Read More

@prologic@twtxt.net They can be more secure or not. It depends on how long it is, just like a string of random characters. You can also add some random special characters into the passphrase to throw off an attacker.

The main benefit of a passphrase is the relative ease at which it is memorized. A good, long passphrase with a couple of special characters thrown in is quite secure. The list of words that you made your passphrase out of might be public, but the attacker probably doesn’t know which one you used unless you tell him.

⤋ Read More

@prologic

passwords for the most part are dead. high-entropy bit mnemonics are the way.

have a look at the bip-39 spec. theoretically unbreakable given a proper implementation. the caveat is many services don’t allow for a charset > 50 which forces the consumer to reduce entropy bits by way of varchar constraints.

while a passphrase or mnemonic with a length of 8 words ie: red glue seven wifi belief bacon zebra pipe is rather strong, it’s also the sequence of the words that contribute to the breakage. if you were to set prologic builds software that needs some maintainers today this would be simpler in theory to crack since the progression of words forms a common speech pattern which can be brute forced easier.

this would make a good friday call

⤋ Read More

I believe the benefit/risk calculation is that a passphrase is more memorable to users then a random string of alnum + symbol. i can remember the 20-30 chars in a passphrase quicker and longer than a 8-10 random.

ultimately they hold nowhere near the benefit of passphrase + MFA

⤋ Read More

@retrocrash@twtxt.net yep, I was going to share the bip-39 spec, thanks for pointing it out. A regular passphrase, like taking a random quote from a book is not ideal, perhaps the equivalent to using ‘password123’

I switched from using long random passwords like qayxTW7rr8T95V8b8ZHV4QMHcaTssVqDwEEr3Hzr to Ream4-Cope-Daringly-Waving-Likeness-Urchin-Arise

They are easier to type, and have similar entropy (if used correctly)

As @retrocrash@twtxt.net says, the real problem is with allowed_chars <= 50 even for long passwords or simpler passphrases, which is stupid since the hashed password uses the same amount of chars. Perhaps allowing up to 100 or 200 chars is good enough, and maybe rejecting some special characters like emojis, no idea.

⤋ Read More

@eaplmx indeed and thank you for unpacking further. your use of mnemonics is a good substitute for complex long passwords (still better than dog1234).

and if you have issues with typing, some form of password manager is helpful. unless of course it’s your luks partition or something else then you should burn this into the cortex.

⤋ Read More

@xuu@txt.sour.is of course, mfa goes without saying. passphrase+mfa wins every time. i was delving more into the cryptography and mathematics behind it coming from a lot of research in this area. but point well received.

⤋ Read More

Participate

Login or Register to join in on this yarn.