Skip Navigation

Are you using passphrases? Is it worth it?

Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

80 comments
  • most people use password managers

    You don’t know many boomers, do you?

    • Best I can find,

      According to security.org survey data, in 2021, 22% of Americans said they used a password manager, but in 2023, the percentage increased to 34% with a further 10% of users saying they use a security passkey or other physical password device.

      So in the most generous interpretation of that, just over half of people are not doing anything secure.

    • Most people who matter

  • Yes, I use passphrases for stuff like my password manager, my computer login, and my disk encryption. For my login (which I type a lot) it's four words; for occasional stuff like disk encryption it's six. I'm sold on the argument that a passphrase is way easier to memorize compared to a comparably-secure random password.

    The number of possible passphrases is the number of words in the dictionary you use to generate passphrases raised to the power of the number of words in your passphrase (assuming a small chance of reusing the same word in a passphrase). I use this command to generate a random phrase using my stock OS word list:

     sh
        
    grep -v '[^a-z]' $WORDLIST | shuf --random-source=/dev/urandom | head -n5 | paste -sd ' '
    
      

    grep -v '[^a-z]' $WORDLIST filters out words with apostrophes or other weirdness. On my system the filtered list is 77,866 words.

    For four words, 77,866 ^ 4 ≈ 3.7 × 10^19 possible passphrases.

    Compare that to randomly-generated passwords. I'll assume that random lowercase & uppercase letters, numbers, and symbols add up to 46 characters. The number of combinations is 46n where n is the length of the password. A four-word passphrase is the same order of magnitude as secure as a 12-character password, which has about 9 × 1019 possible combinations.

    I'm sure that if you make up your own passphrases instead of randomly generating them then the security is much lower.

  • I do use a password manager, and a lot of my passwords are automatically generated piles of random ASCII.

    There are of course passwords I have to key manually a lot; especially the master key of my password database. I often use pass phrases for these. The ones I have to commit to memory, or even need to key manually reading with my eyes from my database, or in the case of my Wi-Fi passwords tell to other people, I make these fairly human readable/typeable. Trying to key lFqvC3]gI~l8p2V6TvTY&p in is a pain in the ass even in a font that renders that uppercase I and lowercase L as different glyphs. Something like corrEct_horse battery staPle, well I worked in an underscore and two capitals in something I can still touch type pretty effectively. Don't use correct horse battery staple as a password; it's burned.

  • I use passphrases for frequently used logins and randomly-generated passwords of varying lengths for everything else. I also use a hardware key and/or 2FA for everything that allows it.

    I'm conversationally fluent in a few different languages (enough to order food, greet people and ask directions to the shitter, anyway) and I can swear in another half-dozen languages so I tend to mix'n'match my passphrases with different foreign words. Bonus points for accented characters. That's probably not gonna fool a dictionary-based attack but since I live in a (mostly) English-speaking country, it might make it interesting for the English-only speakers to try guessing.

    At work, we're held to the outdated policy set by the IT department so it can be difficult to be creative. On top of that, they force a password change whenever someone sneezes so I see a lot of sticky notes on monitors and under keyboards.

    Edit: spelling and grammar.

  • I use an open source password manager and long random passwords for most things.

    my master password is a long phrase though, as well as any I have to type personally sometimes. passphrases are so much easier to type as well

  • All my manual passwords are passphrases.

    This is basically based on the idea that if the password is so strong I can no longer input it, it has no inherent value anyways. A phrase makes it easier to use entire sentences as a password and readily recall them.

    Of course, these are but a minority, the rest are passkeys or passwords a manager will fill in.

  • I use diceware passphrases for any passwords I need to type in (ssh keys, logging in, decrypting my hard drive, master password for password manager, etc). It's the most secure way of setting a password you have to remember and type. Especially since my auto generated passwords contain special characters I wouldn't be able type without just using those ways of entering some escape sequence and typing a unicode sequence.

  • Define 'strength'... against a dictionary attack? Brute force? Social engineering? 'forgotten password/recovery questions' hack? Stolen session cookie? Keyloggers?

    If you're not aware of the above, take some time to learn about each of those things and how good security practices counter each one.

    The question is kind of like, 'can you bake a cake?' .. probably yes, but it's really missing a lot of essential information, like what kind of oven, what ingredients do you have, what's your skill level, do you have arms, etc.

    Any 'passphrase' can be secure or insecure, depending on the other surrounding factors. 2FA solves many security weaknesses.

    • forgotten password/recovery questions

      This is the security industry's dirty little secret that doesn't get talked about in public enough.

      All the excellent security on a site, including complex passwords, perfectly secure storage of a salted hash of that password, multifactor authentication using TOTP, etc., is completely moot if someone can just hit "I forgot my password" (or "I don't have my second factor") and bypass it by doing an email loop. You instead rely on the security of the user's email account.

      • for email there is an easy solution. create a shared alias on addy, confirm it as your recovery email, forget the alias 👌

  • I tend to use random lines of code that don’t make much sense.

    For example:

    W0rds::Format(a[0],b[9])->Render(delta);

    Lengthy, memorable, incorporates numbers, special characters, upper and lowercase.

    The challenge is having to type it in on phones or other devices not a computer.

    I don’t currently use a password manager, but I probably should.

  • I use a short passphrase that I made up that only I and my husband know. It consists of numbers, a special character, a word, and more numbers.

    Then whatever I'm logging in to, my password consists of something relevant to the thing, with my passphrase appended to it.

80 comments