Are you using passphrases? Is it worth it?

can passphrase reach the strength of a good password

Relevant xkcd: https://xkcd.com/936/

I’d love to hear from someone well versed in security if this is legit or significant weaknesses exist, but the math seems to check out as far as I can tell.

most people use password managers

You don’t know many boomers, do you?

Yes, I use passphrases for stuff like my password manager, my computer login, and my disk encryption. For my login (which I type a lot) it's four words; for occasional stuff like disk encryption it's six. I'm sold on the argument that a passphrase is way easier to memorize compared to a comparably-secure random password.

The number of possible passphrases is the number of words in the dictionary you use to generate passphrases raised to the power of the number of words in your passphrase (assuming a small chance of reusing the same word in a passphrase). I use this command to generate a random phrase using my stock OS word list:

grep -v '[^a-z]' $WORDLIST | shuf --random-source=/dev/urandom | head -n5 | paste -sd ' '

grep -v '[^a-z]' $WORDLIST filters out words with apostrophes or other weirdness. On my system the filtered list is 77,866 words.

For four words, 77,866 ^ 4 ≈ 3.7 × 10^19 possible passphrases.

Compare that to randomly-generated passwords. I'll assume that random lowercase & uppercase letters, numbers, and symbols add up to 46 characters. The number of combinations is 46^n where n is the length of the password. A four-word passphrase is the same order of magnitude as secure as a 12-character password, which has about 9 × 10^19 possible combinations.

I'm sure that if you make up your own passphrases instead of randomly generating them then the security is much lower.

correct horse battery staple?

I do use a password manager, and a lot of my passwords are automatically generated piles of random ASCII.

There are of course passwords I have to key manually a lot; especially the master key of my password database. I often use pass phrases for these. The ones I have to commit to memory, or even need to key manually reading with my eyes from my database, or in the case of my Wi-Fi passwords tell to other people, I make these fairly human readable/typeable. Trying to key lFqvC3]gI~l8p2V6TvTY&p in is a pain in the ass even in a font that renders that uppercase I and lowercase L as different glyphs. Something like corrEct_horse battery staPle, well I worked in an underscore and two capitals in something I can still touch type pretty effectively. Don't use correct horse battery staple as a password; it's burned.

I found it amusing when the security team in my company sent me parts of my password in plaintext saying it was insecure (because it didn't have special characters in it) and recommended I use a password manager

The account is used for the ancient VPN software and all of our ssh management tools

And windows login if you're using windows.

Yeah good luck using a randomly generated password that you have to type in multiple times everyday

I made a passphrase for my laptop in bitwarden and didn't think I'd remember the 10 word passphrase but after a few days of typing it I now remember it. All other alphanumeric passwords I would need a keyboard in order to type it out if I remember

I use an open source password manager and long random passwords for most things.

my master password is a long phrase though, as well as any I have to type personally sometimes. passphrases are so much easier to type as well

I use passphrases for frequently used logins and randomly-generated passwords of varying lengths for everything else. I also use a hardware key and/or 2FA for everything that allows it.

I'm conversationally fluent in a few different languages (enough to order food, greet people and ask directions to the shitter, anyway) and I can swear in another half-dozen languages so I tend to mix'n'match my passphrases with different foreign words. Bonus points for accented characters. That's probably not gonna fool a dictionary-based attack but since I live in a (mostly) English-speaking country, it might make it interesting for the English-only speakers to try guessing.

At work, we're held to the outdated policy set by the IT department so it can be difficult to be creative. On top of that, they force a password change whenever someone sneezes so I see a lot of sticky notes on monitors and under keyboards.

Edit: spelling and grammar.

I do. It's worth it because there are some sites that are so outdated that their version of security is to not allow pasting (or filling in via pw manager) on password fields, so I have to manually type them in. Typing in a passphrase is easier and faster than a random string.

Ok, this is a reasonable community to ask. What's a FOSS pword manager that is easy to use, reliable, likely to be around and working in 5 years, and won't leave me feeling shit up a creek if my phone dies or I'm using a public terminal with software installation restrictions? Been a few years, but I had not found something that worked well for me.

Sure. You can either increase the dictionary of possible words, or increase the number of words or both. Eventually it will become unwieldy. I don't bother with passphrases though.

I generate passwords of sufficient entropy (random ASCII), store them securely (encrypted, key memorized, on dedicated hardware), and never re-use them. I don't trust password managers unless open-source. I don't need convenience -- to some extent, it's my job to manage other people's secrets. Since I'm being paid, no need for shortcuts.

For my personal life I use a password manager, like most people in this thread. For my master password I really want a secure password (LastPass really reinforced the value of that), so I use a passphrase that is then hashed using an algorithm I can do in my head, so it's a long string of high entropy alphanumeric gibberish that I can remember easily.

At work my IT dept seems to be stuck 10 years in the past, so they have now implemented a policy that our passwords must be at least 16 characters. They keep ignoring my suggestions to get some form of corporate password manager, so I have my work passwords stored in a text file that I'm not allowed to have any form of file encryption so it just sits there in my documents folder. It's probably not going to be the source of our company getting penetrated, but I don't consider it secure.

I do like pass phrases because I find them easy to remember, but my current prime work one is really easy to make typos, so I now use the reveal password button more than I ever have before.

https://bitwarden.com/password-strength/

Test it here. Passphrases of 3 words take centuries to crack, without any numbers or capital letters. Passwords with numbers, capital letters, and symbols need ~14 characters to be that secure. If you need to memorize it, a passphrase is far superior. Add in a number, or random capitalization, or a misspelling and your security goes even higher.

All my manual passwords are passphrases.

This is basically based on the idea that if the password is so strong I can no longer input it, it has no inherent value anyways. A phrase makes it easier to use entire sentences as a password and readily recall them.

Of course, these are but a minority, the rest are passkeys or passwords a manager will fill in.

I use a passphrase in order to get into my password manager, but that's it. Because my password manager handles all the rest of them and makes it way more random than I could ever dream of.

Disk encryption, computer login, and password manager are pass phrase + random characters stored on a pin protected OnlyKey and/or Mooltipass.

Regular passwords are just random characters up to min(max_len, 128).

I do use passphrases, but I combine with randomness.

I memorize one random 8 character string to use with something more memorable.

Then when I need more security, or I feel that random 8 character string is no longer safe (password leak/hacked), I memorize a new 8 character string.

Then I combine them.

Then I memorize a new 8 character string and mix it in.

It's a process built up over years that ingrains into memory. Sometimes I forget the order, or if i added spaces, or did no spaces. Luckily, as long as I am sure of the discrete segments, I can remix them to recreate until it works (in a reasonable time).

My last addition was when I made the move from Lastpass to another password manager, after their endless bad news.

I'm a big car guy so I typically use car makes and models but never ones I actually own, usually I'll go with some like SubaruImprezaWrxSti2012 except I scramble the order of the words and throw the year in a random position. This is really easy to remember while also being long and insane enough to be difficult to guess.

I have one that I like to imagine as secure as fully randomised passwords. It's four words but, because I'm a cool pwnz0r, the second and last word are written in leetspeak. The phrase is super easy for me to remember and the leetspeak portion has become muscle memory by now. But I only use it for my password manager. For everything else it depends if there's a good chance I'll need to login via my phone (no pw manager there). If yes, I use one of my couple rather-safe passwords. If no, I'll let KeePass2 go to town with a random one.

Oh and I'm subscribed to the haveibeenpwned leakletter, so i know as soon as possible when definitely to change my password.

I use diceware passphrases for any passwords I need to type in (ssh keys, logging in, decrypting my hard drive, master password for password manager, etc). It's the most secure way of setting a password you have to remember and type. Especially since my auto generated passwords contain special characters I wouldn't be able type without just using those ways of entering some escape sequence and typing a unicode sequence.

Use diceware to generate a nice long nonsense passphrase, and use that for your password manager master password. Keep it written down somewhere until you are sure you've memorized it.

Yes, on my password manager and computer logins. I love them because they are so easy to memorize and still secure enough to use in these scenarios. My Laptops are at home or with me. Someone cracking that is highly unlikely and I don't want to look up and manually type random passwords from my PW manager every time. 1Password itself needs a second long password for new devices to login, so I'm not worried about that. Everything else has very long random passwords which I store in 1Password.

Define 'strength'... against a dictionary attack? Brute force? Social engineering? 'forgotten password/recovery questions' hack? Stolen session cookie? Keyloggers?

If you're not aware of the above, take some time to learn about each of those things and how good security practices counter each one.

The question is kind of like, 'can you bake a cake?' .. probably yes, but it's really missing a lot of essential information, like what kind of oven, what ingredients do you have, what's your skill level, do you have arms, etc.

Any 'passphrase' can be secure or insecure, depending on the other surrounding factors. 2FA solves many security weaknesses.

I tend to use random lines of code that don’t make much sense.

For example:

W0rds::Format(a[0],b[9])->Render(delta);

Lengthy, memorable, incorporates numbers, special characters, upper and lowercase.

The challenge is having to type it in on phones or other devices not a computer.

I don’t currently use a password manager, but I probably should.

I use a short passphrase that I made up that only I and my husband know. It consists of numbers, a special character, a word, and more numbers.

Then whatever I'm logging in to, my password consists of something relevant to the thing, with my passphrase appended to it.

I use a leetified (using my own custom flavor) passphrase as my master password - I can type it really quickly and it's obscure as hell so I'm happy with it.

@Wistful@discuss.tchncs.de Why would the passphrase being long defeat the purpose of using it. That's half the purpose of using passphrases.
Make sure to use made up words or proper nouns and put a pin in an unexpected place. That's an easy way to change it without replacing the whole passphrase

No, I just memorize the proper password.