I think you all know the guidelines for a strong password. Must be at least 8 characters or more. Use a combination of upper and lower case letters, numbers, and special characters. Avoid using words found in the dictionary. So on... It should look like a series of random characters, not a sentence. Also, substituting look-alike characters for letters or numbers is no longer sufficient. In simple, the advice is to increase the length and complexity. A passphrase is a collection of common words combined together randomly into a phrase. Security experts advise using passphrases instead of passwords because they're far easier to remember than conventional passwords yet far harder for hackers to crack. Let's compare these two in an example. Password: Xy9n4h&w]Lo>FIbT2Vk[u3R/JmZS • Length: 28 - PASS • Complexity - PASS Upper Case Letters ✔ Lower Case Letters ✔ Numbers ✔ Special Characters ✔• Vulnerability to dictionary attack - PASS • Usability: Hard to Remember - FAIL Passphrase: correct horse battery staple • Length: 28 - PASS • Complexity - FAIL Upper Case Letters X Lower Case Letters ✔ Numbers X Special Characters X• Vulnerability to dictionary attack - FAIL • Usability: Easy to Remember - PASS The password has all the things a strong password should have. It's totally random. But one could hardly remember it. On the other hand, the passphrase is easy to remember. But it's full of words that can be found in a dictionary. So being easy to remember is the only reason to use a passphrase instead of a password. Should we compromise security for usability? I don't think so. And as experts say, if passphrases are harder for hackers to crack, why isn't everyone using them? Why don't websites prompt us to use them instead of passwords? Password Vs. Passphrase. What's your opinion on this? Let's discuss.
MDL/members/evygi7.1241135/ Length: 27 - PASS Complexity - PASS Upper Case Letters ✔ Lower Case Letters ✔ Numbers ✔ Special Characters ✔ Vulnerability to dictionary attack - PASS Usability: Hard to Remember - PASS
The major difference of passphrase and password is that a secure passphrase has far more characters. (More than hundred, takes a long time to type in). That's the reason why a passphrase is not suitable for logins into accounts. It is suitable to encrypt or sign messages also electrum for instance uses it to 'recover' a bitcoin account ("seed"). It is suitable there where you have to remember it a long time and where you have to use it only a few times...or as a last resort authentication. The security does not only increase by length it also does by structure of sentence. (2 nouns, adjectives and locations plus verb and adverb >= 92bit entropy) Also to use a rare language or even to use self-created words ( i.e. leetspeak) can increase security. You can make use of both by a combination..for instance the PW I use to share stuff here is. I1am2free3@mdl The strength of a PW should be related to the potential harm. This one is easily to remember, already strong, but it's just a zip PW to make sure only MDL people can unpack it. And contrary to previous recommendations one should use one PW all the time and not change after a period of time again and again. And a second factor is far more secure than one very strong PW which is hard to remember. Another way to create a random PW is to remind a special pattern on the keyboard.
Isn't that too much? Even that example I posted from the famous XKCD comic, which has 28 characters, would take 15 Octillion years to be cracked according to an online checker. How can I calculate the entropy? That's true. And that brings up another question to me. Authenticator App Vs. Text Message. They say the first one is more secure since hackers can get the text message via SIM swapping. But what happens with the authenticator app when your phone dies or lost? By the way, thanks for your input on the subject.
https://appdevelopermagazine.com/Dangers-of-quantum-hacking/ You're also forgetting things like yubikey etc you don't actually need to use an app for 2fa!
Well you can do it by approximation. It of course depends on language (the dictionary) also complexity of the grammar of language. To make a proper approximation you firstly have to define how many characters has the particular language at all. Then it depends on grammar and terms like locations such as cities used or unique terms used (finally for a dictionary attack you need a reference dictionary). For a brute force attack you only need to define the amount of different characters for each digit to calculate. And of course the amount of digits, the length of the phrase. The easiest form of an attack defines the maximum entropy it can have. I got the info from here (only partly translated to English, though) https://www.spoc-web.com/english/security-training/passphrases/ 2FA is usually associated to an 2FA app. But it literally means to use a second independent authentication, a second factor, additionally. At anything money related I use a login with name and password as first factor and a SMS PIN which expires as the second factor. No app. Even if both systems should be compromised hacker A gets the PW and username (first factor) and hacker B the SMS (second factor). Now there is a limited time to get both together, which is only 10 minutes until the second factor expires. That is impossible, you are safe anyway and can change anything in time. It is impossible that one hacker can monitor both (your current network IP for an attack due to malware AND your corresponding SIM ID with full access to the SMS PIN). For anything else I use the mentioned combination of 'parts' and I actually use Sanskrit language. I never forgot such a phrase, but sometimes I miss the specific way I used for reconstruction and I need a few attempts to get logged in again. The amount of 'parts' I use I decide dependent on where I log in. Here at MDL I have more than 20 characters easily to remember.