this post was submitted on 19 Mar 2024
76 points (94.2% liked)

Asklemmy

43788 readers
783 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

(page 2) 32 comments
sorted by: hot top controversial new old
[–] communism@lemmy.ml 2 points 7 months ago

I use diceware passphrases for any passwords I need to type in (ssh keys, logging in, decrypting my hard drive, master password for password manager, etc). It's the most secure way of setting a password you have to remember and type. Especially since my auto generated passwords contain special characters I wouldn't be able type without just using those ways of entering some escape sequence and typing a unicode sequence.

[–] Crotaro@beehaw.org 2 points 7 months ago (2 children)

I have one that I like to imagine as secure as fully randomised passwords. It's four words but, because I'm a cool pwnz0r, the second and last word are written in leetspeak. The phrase is super easy for me to remember and the leetspeak portion has become muscle memory by now. But I only use it for my password manager. For everything else it depends if there's a good chance I'll need to login via my phone (no pw manager there). If yes, I use one of my couple rather-safe passwords. If no, I'll let KeePass2 go to town with a random one.

Oh and I'm subscribed to the haveibeenpwned leakletter, so i know as soon as possible when definitely to change my password.

load more comments (2 replies)
[–] SecretPancake@feddit.de 2 points 7 months ago

Yes, on my password manager and computer logins. I love them because they are so easy to memorize and still secure enough to use in these scenarios. My Laptops are at home or with me. Someone cracking that is highly unlikely and I don't want to look up and manually type random passwords from my PW manager every time. 1Password itself needs a second long password for new devices to login, so I'm not worried about that. Everything else has very long random passwords which I store in 1Password.

[–] electric_nan@lemmy.ml 2 points 7 months ago

Use diceware to generate a nice long nonsense passphrase, and use that for your password manager master password. Keep it written down somewhere until you are sure you've memorized it.

I use a short passphrase that I made up that only I and my husband know. It consists of numbers, a special character, a word, and more numbers.

Then whatever I'm logging in to, my password consists of something relevant to the thing, with my passphrase appended to it.

[–] ShadowCatEXE@lemmy.world 1 points 7 months ago

I tend to use random lines of code that don’t make much sense.

For example:

W0rds::Format(a[0],b[9])->Render(delta);

Lengthy, memorable, incorporates numbers, special characters, upper and lowercase.

The challenge is having to type it in on phones or other devices not a computer.

I don’t currently use a password manager, but I probably should.

[–] luthis@lemmy.nz 1 points 7 months ago* (last edited 7 months ago) (2 children)

Define 'strength'... against a dictionary attack? Brute force? Social engineering? 'forgotten password/recovery questions' hack? Stolen session cookie? Keyloggers?

If you're not aware of the above, take some time to learn about each of those things and how good security practices counter each one.

The question is kind of like, 'can you bake a cake?' .. probably yes, but it's really missing a lot of essential information, like what kind of oven, what ingredients do you have, what's your skill level, do you have arms, etc.

Any 'passphrase' can be secure or insecure, depending on the other surrounding factors. 2FA solves many security weaknesses.

load more comments (2 replies)
[–] xmunk@sh.itjust.works 0 points 7 months ago

I use a leetified (using my own custom flavor) passphrase as my master password - I can type it really quickly and it's obscure as hell so I'm happy with it.

[–] sordid@procial.tchncs.de 0 points 7 months ago (1 children)

@Wistful@discuss.tchncs.de Why would the passphrase being long defeat the purpose of using it. That's half the purpose of using passphrases.
Make sure to use made up words or proper nouns and put a pin in an unexpected place. That's an easy way to change it without replacing the whole passphrase

[–] Wistful@discuss.tchncs.de 1 points 7 months ago (2 children)

I was thinking it would be easy to brute force if just instead of guessing character by character you do word by word...but I guess just adding one special character randomly would make it a non issue.

[–] Revan343@lemmy.ca 2 points 7 months ago

There are a lot more words than there are characters, even including special characters, so if it is actually randomly generated from a large dictionary, a passphrase is much harder to guess

[–] luthis@lemmy.nz 1 points 7 months ago

Brute force is only a thing when either they have the password hash, or the login portal is susceptible to brute force (ie shite). Both cases are rare.

[–] tobogganablaze@lemmus.org -1 points 7 months ago

No, I just memorize the proper password.

load more comments
view more: β€Ή prev next β€Ί