this post was submitted on 19 Mar 2024
77 points (94.3% liked)

Asklemmy

43893 readers
954 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 44 points 8 months ago* (last edited 8 months ago) (4 children)

can passphrase reach the strength of a good password

Relevant xkcd: https://xkcd.com/936/

I’d love to hear from someone well versed in security if this is legit or significant weaknesses exist, but the math seems to check out as far as I can tell.

[–] [email protected] 15 points 8 months ago* (last edited 8 months ago) (1 children)

For what a civilian target would worry about, using sufficiently long passwords is your best defense. Complexity is barely important.

111111111111111111111111111.1111 is an excellent password.

Everyone should Ctrl+f their password here. But also wait the 10 minutes it'll take to load the whole thing.

If your pw is on this list, change it immediately.

If it's less than 8 chars? Change immediately. If it's less than 10 chars? Change... Now.

If it's less than 14 chars, consider just making your password longer.

This advice will save more people in its simplicity than saying more.


Want a smidge more?

If you're paranoid, take a password that you think is decent, then insert it here, then use the output as your password.

Most times, pws aren't stored in plain text, they're stored using that algorithm. So, if your password is 'password', hackers night easily be able to see that your passwords encrypted value is exactly what that link will output if you put in 'password'. If your password is on that huge list from the beginning of the post, they can easily decrypt the encrypted password, because these passwords's hashes are known.

So, use the hash itself as a password.

Hell, throw a comma at the beginning to throw it off.

[–] [email protected] -1 points 8 months ago (1 children)

using sufficiently long passwords is your best defense

No, using 2FA is your best defense, along with wise recovery questions. It matters nothing if you know someone's password, but can't get the 2FA code.

[–] [email protected] 7 points 8 months ago

In terms of security? Sure. We're talking about password entropy here.

[–] [email protected] 7 points 8 months ago

That's basically a Diceware passphrase. And, it's kinda ok. The amount of entropy is pretty significant (close to what the comic lists, if the Wikipedia article has it right). And it's really easy to add more entropy. I often recommend passphrases to my users (I work in Cybersecurity) and use them myself. Take a sentence, with spaces, capitals and punctuation. Now throw in a few numbers for fun and stop worrying about brute force attacks, until some idiot decides unsalted MD5 is perfectly fine for storing passwords. Most such passphrases will blow right past the 4 words in that comic and are very easy to remember. Even better, make that the passphrase for your password vault (oh look a plug for KeePass). Then have the rest of your passwords all be unique, 20 character jumbles of letters, numbers, and special characters.

Also, enable Two-Factor Authentication (2FA) wherever possible. Even if it's just a One Time Password (OTP) sent via SMS (which is a shit way to do 2FA), that's better than no 2FA.

[–] [email protected] 4 points 8 months ago (1 children)

My cybersecurity prof at uni showed us this xkcd during class lol

[–] [email protected] 1 points 8 months ago

Same a few days ago