undefined | Better HN

0 pointsSomeStupidPoint8y ago0 comments

Why the dig at passphrases?

0 comments

I don’t have a problem with passphrases per se, but when people make them up via their noggin, they aren’t random and aren’t likely to include many obscure words. Using only common words dramatically reduces entropy. E.g., there are only 1 trillion passphrases of 4 words that can be constructed with the 1000 most common words, but a 12-character passphrase pulling from alphanumerics and the ~16 punctuation characters on your keyboard yield 50 sextillion permutations. That’s 50 thousand billion billion.

The argument I am making is that your average passphrase — yes, including "correct horse battery staple" — could be cracked a trillion times over before a password generated via 1Password would be!

memmcgee8y ago

Because they're not actually effective. Most brute forcing is done via dictionary attacks.

SomeStupidPointOP8y ago

"Dictionary attacks" aren't a magic spell. They're a form of brute forcing, as you seem to be aware.

If you're using about 8000 words, randomly chosen, then a 4 word passphrase is about the same as an 8 character random password. (And in fact, for 8k words, it's basically a direct substitution between 2 characters and 1 word.)

For most intents and purposes, 8-10 characters is fine, and 20 characters is enough to use as a cryptographic key. Similarly, 4-5 words is fine for most uses, and 10 words is enough to use as a cryptographic key.

So I'm not sure what you think isn't effective about passphrases -- they're just using a 2^13 sized alphabet instead of a 2^6.5 one, but either is capable of being used to write down a random string of bits.

j / k navigate · click thread line to collapse