Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

  • AndrasKrigare@beehaw.org
    link
    fedilink
    arrow-up
    8
    ·
    8 months ago

    One caveat I’d want to note is for the underlying methodology that uses:

    As this study by Joseph Bonneau attests, people frequently choose common phrases in addition to common words. zxcvbn would be better if it recognized “Harry Potter” as a common phrase, rather than a semi-common name and surname. Google’s n-gram corpus fits in a terabyte, and even a good bigram list is impractical to download browser-side, so this functionality would require server-side evaluation and infrastructure cost. Server-side evaluation would also allow a much larger single-word dictionary, such as Google’s unigram set.

    As another example, the passphrase “This password is good” is claimed to take centuries to crack, but if the search space were narrowed down from a sequence of words to grammatically correct sentences, certain passphrases would be much weaker than this would show.

    • Schlemmy
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago

      You should indeed use a password manager to randomize the generated password phrases. Bitwarden adds capitals, numbers and other characters to the password phrases.