Somebody asked whether dictionary-word passphrases (“correct horse battery staple”, like the ones generated by 1Password) are any good. Short answer: good means different things. Shorter answer: yes!
I’ll talk about why in a thread below.
The basic idea of these passphrases is that you have a dictionary of D words. You pick N words at random. That’s the whole idea. Example: “overlook-hooey-valance-flood-useless-ladyship”.
Cryptocurrency BIP32 passwords use a 2048 (2^11) list, and use 12-24 words per passphrase. 1Password seems to use a larger list, between 18000-18500 words (2^14.15) and you can pick your length (6-8 is common.) https://github.com/1Password/spg/blob/master/agilewords.go
Someone in my timeline asked for papers saying these were good passwords. From a purely mathematical perspective we don’t need a paper, just a toot. But there’s more than math here.
Password quality is about three things: strength (how long til Mallory guesses it, perhaps with a powerful computer), memorability (can you keep it in your head) and usability (can you enter it into a website or device.) Only the first one involves any math.
The math for dictionary passphrases is pretty simple. Assuming you choose words uniformly at random: if your dictionary has D words and your oassphrase is N words long, then there are D^N total passphrases.
The total matters because for a random passphrase the best strategy for guessing is to try all (or most) of them. This D^N determines password cracking time.
A simpler way to do this math is with powers of 2. The 1 password dictionary is about 2^14 in size, so for a 6 word password we get 2^{14*6} = 2^84.
Cryptographers tend to treat anything over 2^80 as “probably good enough to secure your Bank of America account” and anything over 2^128 as “probably good enough to secure really important stuff”. I told you there’d be science.
For comparison, last I checked the Bitcoin network was computing about 2^64 hashes every 10 minutes and using as much electricity as Argentina.
Bitcoin doesn’t crack passwords, but if it could & the entire Bitcoin network was cracking your 6-word 1Password phrase, it would take about 9.5 years on average.
But what about human memorability? Can people memorize such complex passwords? The answer is “yes”, because I just memorized one.
If you don’t accept N=1 studies, then there are a few studies. This one looks at 3-4 word passphrases: https://cups.cs.cmu.edu/soups/2012/proceedings/a7_Shay.pdf
Here is another more recent study that focuses on 56-bit (2^56 strength) 6-word passphrases and discusses strategies that help people memorize them. It turns out that “spaced repetition” (making people learn the password over a period of time) works well enough that many don’t have to write it down. https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-bonneau.pdf
The final barrier is usability: can people actually use passphrases on the Internet? Sadly here the answer is “it depends.” The problem is that many website designers have decided on cargo-cult security procedures like “letters, numbers, special characters required”. Some even institute character limits.
If you’re looking for a recommendation here, I would urge you to do the following:
1. Use a good password manager with a strong random 6-8 word master passphrase.
2. Write it down (one safe place) and practice entering it from memory on a regular basis. You will eventually remember it.
3. Let the password manager generate passwords for individual sites.
There are no guarantees, but this is probably the safest way to keep passwords online.
And finally, as someone reminds me in replies (need quote toot here!): use 2FA/MFA wherever possible. Preferably 2FA/MFA based on an app/YubiKey rather than SMS codes.
(Do not ask me about backing up app 2FA, I don’t have a great answer.)
Also re-reading the early part of this thread I was a little fuzzy on how passphrases are generated, argh.
You have a dictionary of D words. You pick one word at random. And then you repeat this process N times. The clarification is: specific words can repeat more than once within a single passphrase. In practice this rarely happens (for large dictionaries) but it would certainly change the math.
@matthew_d_green I don’t think that a word appearing multiple times in a generated password “changes the math” unless you are somehow disallowing such cases. If a word appears multiple times in a list, then you have problems.
@jpgoldberg What I meant is sampling with replacement (D^N), ie each word is sampled independent from the other words and a given word can be chosen twice in the same passphrase. What I originally wrote sounds like sampling without replacement (D choose N), that is: pick N unique words out of the dictionary, one at a time so that a given word only appears once in a passphrase. The number of passphrases is slightly smaller in the second case.
@matthew_d_green, ah. I didn’t read the original as (D choose N) so I misunderstood your correction.
@matthew_d_green The best Yubikey backup strategy is for the auth server to allow registering multiple security keys. This has been the canonical solution since the dawn of time, i.e. when security keys existed only inside Google and Yubico.
Also, the auth server needs to allow revoking individual security keys in case of loss, so be sure to give them names at time of registration.
@matthew_d_green repetition is the key to learning, I did it with random passwords (32 chars long). Yet there is something which is hard to explain: muscle memory loss. I have never remembered this password as it is; only my muscles did. And one day that memory connection broke and I could not restore it.
@udunadan That’s why Apple makes you enter it every 24 hours.
Also, the thing about passphrases (and I have no science to back this) is that you don’t really learn them through muscle memory. They’re just too long.
@matthew_d_green the thing wasn't that I forgot it; rather, it was a peculiar disconnect from muscle memory. I entered that password thst cery evening, successfully. But I guess most users won't experience the same situation.
@matthew_d_green #TP-link managed switches: "Password can be a maximum of 16 characters".