[venomsnake]

still won't help. This is security trough obscurity. It works only if the attacker don't suppose you use passphrase.

4000^4 gives 256000000000000 giving 3.3 bits of entropy per decimal digit it comes to 50 bits of entropy. Not too shabby but not that secure either. Your PCs rng may play you dirty tricks.

And of course there are all kind of legacy systems with password limitations to 32 or 16 character, but above 8 etc etc which would further reduce the pool.

Of course you could try your own password deriving mechanism. Take the first 16 characters of bcrypt(username,site domain) it will produce awesome passwords for any site that you will have easy time producing when needed. Until the hackers begin to suspect what you use if it becomes widespread.

(Disclaimer - not a cryptographer or security expert or particularly competent in anything)

[qnr]

> Take the first 16 characters of bcrypt(username,site domain)

Hey, that's the very definition of security through obscurity ;)

Here's a thought experiment I use when estimating security of similar password schemes: imagine you asked someone to come up with 1000 different mechanisms of generating passwords based on username and domain. Is your scheme is likely to be among them? If yes, this means it provides less than 10 bits of security.

[StavrosK]

What do you mean "not that secure either"? 8 random upper-lower-numeric characters are 47.6 bits of entropy, that is 47.8. I'd say that's decently secure, and the suggestion that you bcrypt your username with the site's domain for a salt is pretty much the definition of security through obscurity, like the other commenter said.

Please don't discourage good practices. Four random words is a lot better than "password123", though it would still take 1.5 day to crack it if it were stored as an MD5 hash. Six words would take 65 years at 1ghash/sec, which is pretty damn good, and better than a 12-char random password. 5 words would take 16 years, which seems like a pretty good compromise.

EDIT: Although, I don't like straight-up Shannon entropy as a measure of password strength.

[venomsnake]

I gave the bcrypt example as a anti-pattern if I didn't make myself clear.

Any password derivation scheme works brilliantly until you are the only one using it. The moment it becomes widespread and people begin to target it - it goes anywhere from significantly weaker to trivial to crack.

[StavrosK]

The problem with that is that password derivation is entirely reasonable and encouraged. It's what PBKDF2 does (the "KD" stands for "Key Derivation"). Securing your passphrase with a few thousand rounds of bcrypt and salting with the domain is a great way to strengthen it, since you don't have to trust any shitty MD5 password storage mechanism the site has, the attacker has to brute-force bcrypt to be able to get your master passphrase.

[phaemon]

It is not security through obscurity. It works even when the attacker knows I use a passphrase and has a copy of my dictionary. It's about the same security as a random 8 character password with lower and upper case, numbers and choice of 10 symbols.

Maybe that's no longer secure enough; I don't know how fast password crackers are now. So use "shuf -n 5" instead.

[StavrosK]

It doesn't work when the attacker knows you use this scheme, your username and the site's domain. There's no secret in that scheme, therefore it's pretty much the exact definition of security through obscurity. Add a password to it, though, and you pretty much have SuperGenPass.

[phaemon]

I think you replied to the wrong person here. I'm saying that the passphrase does not rely on security through obscurity. venomsnake's scheme does, though it appears he meant it to be exactly that (ie. an example).

[StavrosK]

Yeah, that was weird. You are correct in that comment, I posted the entropy equivalents in another comment in this thread (using 5 words is pretty secure).