this post was submitted on 19 Mar 2024
78 points (94.3% liked)

Asklemmy

43808 readers
889 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 7 months ago

I'm a big car guy so I typically use car makes and models but never ones I actually own, usually I'll go with some like SubaruImprezaWrxSti2012 except I scramble the order of the words and throw the year in a random position. This is really easy to remember while also being long and insane enough to be difficult to guess.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago) (1 children)

I use passphrases for frequently used logins and randomly-generated passwords of varying lengths for everything else. I also use a hardware key and/or 2FA for everything that allows it.

I'm conversationally fluent in a few different languages (enough to order food, greet people and ask directions to the shitter, anyway) and I can swear in another half-dozen languages so I tend to mix'n'match my passphrases with different foreign words. Bonus points for accented characters. That's probably not gonna fool a dictionary-based attack but since I live in a (mostly) English-speaking country, it might make it interesting for the English-only speakers to try guessing.

At work, we're held to the outdated policy set by the IT department so it can be difficult to be creative. On top of that, they force a password change whenever someone sneezes so I see a lot of sticky notes on monitors and under keyboards.

Edit: spelling and grammar.

[–] [email protected] 4 points 7 months ago

I once had to change a password every 30 days.

And it couldn't be a password I'd used before. Along with ridiculous requirements (but not as ridiculous as the 30 day thing).

You'd think it was a password to get into the NSA's database or something.

Nope, just a (not very) random website.

[–] [email protected] 1 points 7 months ago

I tend to use random lines of code that don’t make much sense.

For example:

W0rds::Format(a[0],b[9])->Render(delta);

Lengthy, memorable, incorporates numbers, special characters, upper and lowercase.

The challenge is having to type it in on phones or other devices not a computer.

I don’t currently use a password manager, but I probably should.

[–] [email protected] 2 points 7 months ago

I use diceware passphrases for any passwords I need to type in (ssh keys, logging in, decrypting my hard drive, master password for password manager, etc). It's the most secure way of setting a password you have to remember and type. Especially since my auto generated passwords contain special characters I wouldn't be able type without just using those ways of entering some escape sequence and typing a unicode sequence.

[–] [email protected] 6 points 7 months ago (1 children)

For my personal life I use a password manager, like most people in this thread. For my master password I really want a secure password (LastPass really reinforced the value of that), so I use a passphrase that is then hashed using an algorithm I can do in my head, so it's a long string of high entropy alphanumeric gibberish that I can remember easily.

At work my IT dept seems to be stuck 10 years in the past, so they have now implemented a policy that our passwords must be at least 16 characters. They keep ignoring my suggestions to get some form of corporate password manager, so I have my work passwords stored in a text file that I'm not allowed to have any form of file encryption so it just sits there in my documents folder. It's probably not going to be the source of our company getting penetrated, but I don't consider it secure.

I do like pass phrases because I find them easy to remember, but my current prime work one is really easy to make typos, so I now use the reveal password button more than I ever have before.

[–] [email protected] 2 points 7 months ago

At work, if you have the option, consider using KeePassXC or similar software. That will give you a properly encrypted file with secrets and also password-manager features.

[–] [email protected] 4 points 7 months ago (2 children)

I use a passphrase in order to get into my password manager, but that's it. Because my password manager handles all the rest of them and makes it way more random than I could ever dream of.

[–] [email protected] 1 points 7 months ago (1 children)

How do you log in to your computer though?

[–] [email protected] 2 points 7 months ago

Okay, I didn't even think of that one, but yeah, I have two passwords. One logs me into the computer, and one logs me into my password manager.

[–] [email protected] 2 points 7 months ago

Bitwarden can generate password phrases. Some other password managers too. In the occasion you have to type out your password a password phrase is a lot easier.

[–] [email protected] 8 points 7 months ago

I made a passphrase for my laptop in bitwarden and didn't think I'd remember the 10 word passphrase but after a few days of typing it I now remember it. All other alphanumeric passwords I would need a keyboard in order to type it out if I remember

[–] [email protected] 1 points 7 months ago

I use a short passphrase that I made up that only I and my husband know. It consists of numbers, a special character, a word, and more numbers.

Then whatever I'm logging in to, my password consists of something relevant to the thing, with my passphrase appended to it.

[–] [email protected] 7 points 7 months ago

I use an open source password manager and long random passwords for most things.

my master password is a long phrase though, as well as any I have to type personally sometimes. passphrases are so much easier to type as well

[–] [email protected] 2 points 7 months ago

Yes, on my password manager and computer logins. I love them because they are so easy to memorize and still secure enough to use in these scenarios. My Laptops are at home or with me. Someone cracking that is highly unlikely and I don't want to look up and manually type random passwords from my PW manager every time. 1Password itself needs a second long password for new devices to login, so I'm not worried about that. Everything else has very long random passwords which I store in 1Password.

[–] [email protected] 5 points 7 months ago (1 children)

https://bitwarden.com/password-strength/

Test it here. Passphrases of 3 words take centuries to crack, without any numbers or capital letters. Passwords with numbers, capital letters, and symbols need ~14 characters to be that secure. If you need to memorize it, a passphrase is far superior. Add in a number, or random capitalization, or a misspelling and your security goes even higher.

[–] [email protected] 8 points 7 months ago (1 children)

One caveat I'd want to note is for the underlying methodology that uses:

As this study by Joseph Bonneau attests, people frequently choose common phrases in addition to common words. zxcvbn would be better if it recognized "Harry Potter" as a common phrase, rather than a semi-common name and surname. Google's n-gram corpus fits in a terabyte, and even a good bigram list is impractical to download browser-side, so this functionality would require server-side evaluation and infrastructure cost. Server-side evaluation would also allow a much larger single-word dictionary, such as Google's unigram set.

As another example, the passphrase "This password is good" is claimed to take centuries to crack, but if the search space were narrowed down from a sequence of words to grammatically correct sentences, certain passphrases would be much weaker than this would show.

[–] [email protected] 2 points 7 months ago

You should indeed use a password manager to randomize the generated password phrases. Bitwarden adds capitals, numbers and other characters to the password phrases.

[–] [email protected] 6 points 7 months ago* (last edited 7 months ago) (1 children)

Sure. You can either increase the dictionary of possible words, or increase the number of words or both. Eventually it will become unwieldy. I don't bother with passphrases though.

I generate passwords of sufficient entropy (random ASCII), store them securely (encrypted, key memorized, on dedicated hardware), and never re-use them. I don't trust password managers unless open-source. I don't need convenience -- to some extent, it's my job to manage other people's secrets. Since I'm being paid, no need for shortcuts.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (3 children)

Same. Pass phrases seem like a solution to a problem that doesn't exist anymore. We don't live in a world where people should be reusing and memorizing strong passwords. We live in a world with frequent user data theft and scams to glean your login info. Just last week, I started getting random login attempts from around the world for a Microsoft account I haven't used in over a decade. No idea when or how that info got leaked.

And people aren't equipped to memorize a different passphrase for all 30 of their accounts.

So, we should do what we always do: Get machines to make the issue easier for us to manage. Right now, that means password managers with a strong master password and secure storage.

In the future, maybe we'll have some kind of creepy central government ID based password-less login method. Who knows?

Edit: Besides, most services require ThIrTeEn dIgIt lOnG PaSsWoRdS WiTh fIvE SpEcIaL ChArAcTeRs aNd sIx nOn-cOnSeCuTiVe dIgItS Of pI ThAt dOeSn't mAtCh aNy kNoWn dAtE Or eVeNt oR SpEcIaL StRiNg oF NuMbErS. It's just too annoying, and I'd have to memorize all the special characters in addition to the phrase.

[–] [email protected] 2 points 7 months ago (1 children)

Those government id based login methods are quite common and very secure. Belgium has a system that used your ID, your phone number and your phone to verify your login. A lot of EU banks have been using a OTP generated by a dedicated hardware that looks like a tiny calculator. The Netherlands has a dedicated app that is verified by your government id and that uses a qr to verify your identity.

[–] [email protected] 1 points 7 months ago (1 children)

They can be good quality, yeah. But I'm more worried about having to basically present a digital-equivalent of a driver's license if I want to sign up for Netflix, or watch porn, or order food. And if ID system routes every request to a central location first, then you get stuck with de-facto tracking on everything you ever do, no matter how good the company's privacy record is. That's what I meant by creepy.

[–] [email protected] 2 points 7 months ago

Thank God for GDPR. That would be impossible in the EU. ID's can only used in very specific cases that are detailed in the law.

[–] [email protected] 3 points 7 months ago

Yeah, I hate that. Forcing me to input special characters makes my password slightly less secure. Of course I'll include them by default, but now an attacker can eliminate all passwords without special characters. Most people just put the number 1 or a period at the end of their existing, frequently re-used password anyway. Or capitalize the first or last letter. So it doesn't make it really harder to crack dumb passwords.

It's like we've optimized passwords to be hard for humans to remember, but easy for humans to guess!

[–] [email protected] 4 points 7 months ago

OP kinda already addressed that. A password manager is great, but you still need a master password, so do you use a passphrase for that?

[–] [email protected] 2 points 7 months ago (1 children)

I have one that I like to imagine as secure as fully randomised passwords. It's four words but, because I'm a cool pwnz0r, the second and last word are written in leetspeak. The phrase is super easy for me to remember and the leetspeak portion has become muscle memory by now. But I only use it for my password manager. For everything else it depends if there's a good chance I'll need to login via my phone (no pw manager there). If yes, I use one of my couple rather-safe passwords. If no, I'll let KeePass2 go to town with a random one.

Oh and I'm subscribed to the haveibeenpwned leakletter, so i know as soon as possible when definitely to change my password.

[–] [email protected] 7 points 7 months ago (1 children)

It's four words but, because I'm a cool pwnz0r, the second and last word are written in leetspeak

correct h0r53 battery 5t4p13?

[–] [email protected] 2 points 7 months ago

nah man

correct |-|0.-5€ battery 5+4|°|€

[–] [email protected] -1 points 7 months ago

No, I just memorize the proper password.

[–] [email protected] 5 points 7 months ago

All my manual passwords are passphrases.

This is basically based on the idea that if the password is so strong I can no longer input it, it has no inherent value anyways. A phrase makes it easier to use entire sentences as a password and readily recall them.

Of course, these are but a minority, the rest are passkeys or passwords a manager will fill in.

[–] [email protected] 4 points 7 months ago

I do use passphrases, but I combine with randomness.

I memorize one random 8 character string to use with something more memorable.

Then when I need more security, or I feel that random 8 character string is no longer safe (password leak/hacked), I memorize a new 8 character string.

Then I combine them.

Then I memorize a new 8 character string and mix it in.

It's a process built up over years that ingrains into memory. Sometimes I forget the order, or if i added spaces, or did no spaces. Luckily, as long as I am sure of the discrete segments, I can remix them to recreate until it works (in a reasonable time).

My last addition was when I made the move from Lastpass to another password manager, after their endless bad news.

[–] [email protected] 10 points 7 months ago

I do use a password manager, and a lot of my passwords are automatically generated piles of random ASCII.

There are of course passwords I have to key manually a lot; especially the master key of my password database. I often use pass phrases for these. The ones I have to commit to memory, or even need to key manually reading with my eyes from my database, or in the case of my Wi-Fi passwords tell to other people, I make these fairly human readable/typeable. Trying to key lFqvC3]gI~l8p2V6TvTY&p in is a pain in the ass even in a font that renders that uppercase I and lowercase L as different glyphs. Something like corrEct_horse battery staPle, well I worked in an underscore and two capitals in something I can still touch type pretty effectively. Don't use correct horse battery staple as a password; it's burned.

[–] [email protected] 7 points 7 months ago (3 children)

Ok, this is a reasonable community to ask. What's a FOSS pword manager that is easy to use, reliable, likely to be around and working in 5 years, and won't leave me feeling shit up a creek if my phone dies or I'm using a public terminal with software installation restrictions? Been a few years, but I had not found something that worked well for me.

[–] [email protected] 8 points 7 months ago

What's a FOSS pword manager

There are probably more that these two out there but the two I know of that fit this bill are Bitwarden and KeePass. The latter comes in two flavors, the original KeePass that kinda looks like shit and tries to stay lean and defer niche features to plugins, and the fork KeePassXC that tries to give it a sleeker UX with more features natively baked-in. I will refer to both simply as "KeePass" for the rest of this comment.

that is easy to use

"Easy to use" is relative. If you're savvy enough to know what FOSS software even is, to care about using it, and to find your way onto an experimental platform like Lemmy to ask about it, I'd say youre more than capable of handling either of the above choices with ease.

reliable, likely to be around and working in 5 years

I'd wager that on both Bitwarden and KeePass.

and won't leave me feeling shit up a creek if my phone dies or I'm using a public terminal with software installation restrictions

Bitwarden offers free cloud hosting and a web interface. As long as you have access to a browser and an Internet connection, you have access to your Bitwarden key store.

KeePass is offline-only and requires specialized client software to read its key store file format. Though, since all it is is a file, you can use simple and straightforward methods to make it accessible wherever you need it. Copy it to a flash drive. SCP it between devices. Put it on a cloud service like Dropbox. You have options. It's just up to you to use them.

Bitwarden also lets you save locally stored files and manage them like KeePass, if you're into that.

Honestly, since each can be made to more or less behave like the other, which one you pick largely comes down to taste. Bitwarden is more turn-key if you want cloud hosting, KeePass makes you work for it. Bitwarden is a company providing a premium service you can buy, while KeePass is a completely free project funded only by good will donations.

I prefer KeePassXC, personally.

[–] [email protected] 23 points 7 months ago (1 children)
[–] [email protected] 6 points 7 months ago (1 children)

Or if you want to selfhost, use Vaultwarden (compatible with Bitwarden official clients)

[–] [email protected] 4 points 7 months ago

this, just works and very easy to use and backup if using docker.

[–] [email protected] 2 points 7 months ago

ProtonPass. They’re a company thats been around for a while now, has multiple revenue streams, and has a food track record on security and open sourcing.

Another one is Bitwarden but iirc they only have the one revenue source although iirc its a tiny team so they dont need much

load more comments
view more: next ›