[mrmagooey]

Aren't passphrases kind of a bad choice for passwords? If all you are ever really guessing is the symbols that make up someones password, and you know that for example they have 4 words that make the passphrase, then you effectively only have to iterate 4 symbols with a known list of possibilities for each symbol (i.e. the dictionary).

If you compare the permutation space of a short passwords (length 7) with random characters (say ~80 potential symbols), with a long(er) password made up of 4 english words (say ~3000 potential symbols, the most commonly used english words).

    character_symbols = 80
    word_symbols = 3000
    number_of_character_password_symbols = 7
    number_of_word_password_symbols = 4
    permutation_space_characters = character_symbols**number_of_character_password_symbols
    permutation_space_words = word_symbols**number_of_word_password_symbols
    print('%.2E' % permutation_space_characters, '%.2E' % permutation_space_words)
    ('2.10E+13', '8.10E+13')

The words space is four times bigger, but in the same magnitude as the short (bad) password. I'm not an expert here, so I might have stuffed it up, but it seems like passphrases shouldn't really be encouraged?

I do love the recommendation to remove time-based password expiry though.

[kderbe]

Yes, 80 ^ 7 has the same order of magnitude as 3000 ^ 4. But passphrases are recommended because many folks can memorize a passphrase more easily than a password of equivalent complexity. Or because a typical user's idea of an okay password ("Johnny88") has less entropy than a passphrase.

Passphrases are unnecessary for users with a password manager, except maybe for the manager's master password.

[kevhito]

Everything in the article is spot on, I only wish they went further and recommended passphrases more strongly. It's correct horse battery staple and all that.

As for your calculation, you are about right. Except memorizing a completely random 8 character password drawn from an 80 symbol alphabet is /extremely/ unpleasant for most people, especially when you may have a few different passwords you use on a daily or weekly basis. And for passphrases, 6 words drawn from a 4096-word dictionary is typical. I use that setting (or even 8 words for more important things) and have easily memorized about a dozen passwords, even ones I use only once every few weeks.

40966 = 4.7e21, about the same as an 11-character random password.

[Biganon]

So you have memorized the equivalent of a 60-word nonsensical poem?

[marcosdumay]

Well, you only need to memorize the passphrase of your password manager's file.

[dannysu]

What we should really talk about is the password entropy like what you've done.

If you take the xkcdpass package from Ubuntu, it uses a word list of 41230 words by default [1]. That's 41230^4 and about 61-bit of password entropy. If you want to use a smaller word list, add words to the passphrase until you reach a desirable password entropy.

Using your example of 80^7 for random characters, that's only 44-bit password entropy. So in this case, xkcdpass gives you a stronger password with just 4 words. If you want to reduce the word list to 3000, just add 1 more word and it's 46-bit password entropy. A decision between 7 random characters vs 5 words.

I personally prefer random characters because you can up the entropy significantly, and I have no problem remembering random sequence in the mid-teens range. That can easily get you 90-bit entropy or more. Everything else is saved in my password manager and there you can up the entropy even more. My auto-generated passwords are usually around 200-bit entropy.

  [1]: https://github.com/redacted/XKCD-password-generator

[oneeyedpigeon]

> I personally prefer random characters because you can up the entropy significantly

Isn't it far easier to up the entropy of a passphrase, though? Unless your password is using the entire Unicode character set, adding a word to a passphrase is going to give you better entropy than adding a character to a password, and it will probably be easier to remember since you can - reasonably safely - give it contextual meaning.

[hexane360]

Now use a couple words not in the top 10,000. Suddenly your complexity goes waaay up.

[mark-r]

How do you know how many words are in the passphrase?

[mrmagooey]

You don't I guess, I'm just using 4 as an example (it's also the number of words used in xkcd's password strength comic).

[mark-r]

I only ask because a different answer will change the math drastically.

[paulmd]

No it doesn't. Your password has as much entropy as it has, and no more.

If you want to follow that train of thought to its logical conclusion, your attacker not only doesn't know the length of the password, they don't know what character sets make up the password either, and so you could claim that a 4-character numeric password is equally secure to a 64-character Unicode password. In fact by inductive reasoning 4-digit password could be said to have pretty much any finite amount of entropy, because how does the attacker know that it's not actually length N+1?

Yes, the attacker not knowing exactly what the password class is (words/character set/length) does help somewhat in a practical sense. But it doesn't "change the math" at all, if you have 3000 symbols (words) and your password is 4 of them then you have 3000^4 possible passwords. You don't get to count passwords that are not in your password class as part of your entropy.

[mark-r]

I didn't mean math in general, I meant the math used in the post I was responding to, which had some unfounded assumptions. I can make assumptions too with vastly different outcomes, I'm sure that 10 random unrelated words are more secure than 10 random unrelated characters.