A pass phrase is the worst idea you can possible have for a password, speaking from my experience on "the dark side". Every single password cracking tool like the famous "John the Ripper" will be testing all possible combinations of words that satisfy a length requirement from a dictionary even before testing for short and easy "random strings" like ies29kf.

 

PS: password cracking dictionaries work against all words in all languages as these dictionaries have terrabytes of data to store every combination of literals that humans understand

 

This is only true if the passphrase is too short (not enough entropy), or its not randomly generated (which further reduces entropy). As my example showed, the 6 word passphrase has the same entropy as the 10 character lowercase/uppercase/number password given. All passphrases do is replace individual characters and the range that is possible (A-Za-z0-9) with words from the dictionary, making the passphrase essentially a "6 character" password, if words could be considered a "character" that is known in advance. In both cases, all the possible characters/words are known from the beginning, its just the combination the computer has to find. I do agree that passphrases can be easily done wrong, but so can passwords. Its all about that entropy.

Edited October 1, 20169 yr by Lemons

This is only true if the passphrase is too short (not enough entropy), or its not randomly generated (which further reduces entropy). As my example showed, the 6 word passphrase has the same entropy as the 10 character lowercase/uppercase/number password given. All passphrases do is replace individual characters and the range that is possible (A-Za-z0-9) with words from the dictionary. In both cases, all the possible characters/words are known from the beginning, its just the combination the computer has to find. I do agree that passphrases can be easily done wrong, but so can passwords. Its all about that entropy.

SecureRandom random = new SecureRandom();
String password = new BigInteger(130, random).toString(32);
System.out.println(password);

Copy/paste the output and save it in a secure location such as a sheet of paper. Better than any password generation site on the internet.

SecureRandom random = new SecureRandom();
String password = new BigInteger(130, random).toString(32);
System.out.println(password);

Copy/paste the output and save it in a secure location such as a sheet of paper. Better than any password generation site on the internet.

 

 

I agree with this, I personally use 20 character randomly generated passwords, as they entropy is much higher than a typical password and is secure enough in my mind that most would be bored. But, if I replaced that with a randomly generated 20 word passphrase, I'd feel just as safe.

 

The problem is most people don't want to remember all that crap, so they just choose "dog" or "cat" or some equally lame password, when a passphrase would also be easily remembered and has a lot more entropy than "dog" or "cat". Most people don't want 20 characters of random numbers/letters for their password, let alone a different one for every website.

 

If we really wanted to be secure, we'd start using keys more often. Also, storing passwords in plain text, no matter the location (except your head, for now), is a terrible idea as well. Use a secure password manager at least or place the paper in a secure safe (you'd be surprised how many safes are just pseudo-safe :p).

Edited October 1, 20169 yr by Lemons

Bruh pls don't tell me you just did that to your main

Bruh pls don't tell me you just did that to your main

top kek

Bruh pls don't tell me you just did that to your main

someone else's main

:^)