|
|
|
|
|
|
by jsjohnst
827 days ago
|
|
|
It bothers me how much folks parrot this XKCD, especially using it to imply passphrases are superior. They are in fact not! Four common words are definitely easier to remember, but is it really feasible to remember hundreds (thousands?) of truly unique four word combinations easily? I would argue strongly it’s not for most people, so then you’re still using a password manager for the vast majority of passwords. Yes, you still need to remember a few, where then passcodes are ok. Also, many sites have arcane password complexity requirements (protip site owners, the only thing that really matters is length) which may not allow for your passphrase as suggestingly formatted by XKCD, thus needing a password manager more. If we are using a password manager as we should be, there is no real justification for using memorable passwords for the majority of passwords. Let’s use the example from XKCD: correct horse battery staple = 2048^4 = 2^44 If instead we use the same length of 28 characters with the full range of characters allowed by most websites: M4Uk@gQRU!JFgwlI6MV$VV39TEA. = 70^28 = ~2^172 Dunno about you, but I’ll gladly take significantly more entropy with zero extra cost any day. |
|
|
But If I need to login on a device where my password manager is not installed, or you can't use a password manager (e.g. windows UAC prompt, linux tty), it will be way easier to open my password manager on my phone and type a password rather than a long random string.
I don't use a passphrase for every login, but for some logins where I think it could be benefitial to easily type it without using autofill I use them.