
WordPass – Hate passwords, love passphrases - markhemmings
https://wordpass.io/
======
spinchange
Don't most password managers have a feature that enables you to _locally_
generate a random, high-entropy password? If you're using a manager in the
first place you don't really need to remember it, right?

Also, I've always wondered if it was better, worse, or of no consequence to
leave spaces in a passpharse.

~~~
ChikkaChiChi
It can't hurt.

While a space is considered another character, I've come across more than a
few instances in which blank characters are scrubbed from user input fields.

So even if you add one, it's entirely possible that it's ignored.

------
gioi
Don't _seriously_ use this tool.

"People shouldn't use passwords that have been generated by a remote service
unless they have very very good reasons to trust the tool and the transmission
of the data." [0]

Passphrases are generated server-side, and this mines at the heart the
security of the system. Are password saved? Yes? No? Who knows?

And you can trust a pair of dice more than an unknown website. Look up
_diceware_ on the web and see what I mean.

\--

[0]
[http://discussions.agilebits.com/discussion/10684/password-w...](http://discussions.agilebits.com/discussion/10684/password-
with-real-words-like-diceware-really-safe)

~~~
fennecfoxen
I also thought that particular XKCD comic was obsolete and debunked at this
point. Modern password-crackers aren't ASCII-character-at-a-time and know
about dictionary words (and all your 1337sp33k substitutions and trailing
numbers).

~~~
ephemeralgomi
Link to where the XKCD comic was debunked or shown obsolete? Most of the
responses I've seen to it were of the form "well, yeah, but you're not gonna
remember a hundred different passphrases, it's much better to use a password
manager."

~~~
fennecfoxen
"The oft-cited XKCD scheme for generating passwords -- string together
individual words like "correcthorsebatterystaple" \-- is no longer good
advice. The password crackers are on to this trick." \-- Bruce.

[https://www.schneier.com/blog/archives/2014/03/choosing_secu...](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html)

~~~
zokier
I'm surprised that Schneier would make such a comment. Entropy is entropy, the
"difficulty" estimates already except that attackers are fully aware of the
method and the dictionary used.

------
chimeracoder
I support the conclusion of this XKCD comic, but the math always seemed off to
me.

Lets say your dictionary has 100,000 words[0], and your attacker has access to
the same list. If the attacker _knows_ that you have chosen four words off of
that list, he still only has a 1/4,166,416,671,249,975,000 chance of guessing
the right permutation (not combination!). That's less than 2^61, which is
certainly very secure.

However, the entropy calculation in the XKCD comic assumes that the characters
are uncorrelated with each other, the way they would be if you used a random
sequence of characters as your password.

(Of course, this assumes that you choose the words truly (pseudo-)randomly,
and not "cherry-picking" permutations that are easy to remember.)

[0] Not unreasonable - /usr/share/dict/words on Ubuntu has over twice as many.

~~~
seventytwo
What common user do you know of that has a 100,000 word vocabulary? My point
being that a list of the 10,000 most commonly used words would most likely be
sufficient to cover most combinations of pass phrases.

~~~
paul_f
It would seem that word length is important too. Between 5 and 8 characters.
Wouldn't that drop in half the size of the vocabulary?

~~~
crpatino
No, word length has (almost) nothing to do with it.

XKCD assumes each word has, regardless of length, 11 bits of entropy. It
implies that you are picking up each word out of a dictionary of the 2^11
(2048) most common, non-trivial[1] words. And truly, example words are common:
correct, horse, battery, staple.

Contrast this with the "classic" example. You pick a single base word from a
larger list (16 bits of entropy == 64K-word dictionary) of longer, more
complex (troubadour, 10 letter long) words, and then subject it to a number of
transformations to pump its entropy another 12 bits.

The key insight of this piece is that attackers have moved over to techniques
that make password length a poor estimator of its entropy level. It is the
rarity of the base word that makes the lion's share of a password entropy,
with length adding marginal improvements, mostly from the increased chances to
pack more transformations into it.

This gets lost on the discussion of the comic's main thesis and less subtle
insight that it is easier to add entropy by increasing the number of base
words than by adding transformations to a single base word.

[1] I am removing trivial words of length < 4 because if you choose from them,
you may end up with a password with length between 4 and 12, which may be
brute-forced without regard for dictionary attacks now or in the near future.
Shortest word in the provided example is "horse" which is weak evidence in
favor of this hypothesis.

------
equivrel
I would suggest increasing the maximum length from 5. Many applications that
don't use iterated hashing schemes like PBKDF2 recommend much longer
passphrases for security against brute-force [1].

[1] Off the top of my head: cryptsetup with plain dm-crypt recommends a random
English sentence of > 135 characters length (i.e. a passphrase of 27 words at
5 characters per word).

~~~
markhemmings
It was a larger number at first, but try remembering say 10 words in a row
over a long period of time; most people find that difficult. If hashing is
implemented properly (i.e. is slow with a large number of iterations) then
passphrases shouldn't have to be that long. And if it isn't, then pretty much
anything you use will be as bad as each other (Some people are still using MD5
for example!!) :)

~~~
equivrel
I don't see the harm in leaving the option in, given that for some
applications a longer passphrase is critical (not everything can use iterated
hash schemes: for instance if you want to deniably encrypt a hard drive
partition to look like random data).

EDIT: also, 'explicit' is a nice touch, makes some pretty memorable
passphrases, but I hope you're not taking from a small list of profanities,
since that would seriously diminish the entropy. Be sure to factor in the
(probably) much smaller number of possible 'explicit' passphrases when doing
entropy calculations.

------
IanDrake
Security concerns aside, I don't get it...

It generated "enterlongrangealfredgreeted". How does that help me? I haven't
seen a site that would allow for a password like this in a long time. It's too
long, it doesn't have at least one cap, one number, and one symbol. So, what
good would this do?

~~~
__david__
Really? 90% of sites I run into don't have those restrictions.

~~~
Kluny
The sites where you care the most about security do: Ebay, PayPal, my bank,
all government websites (Canada).

------
blueblob
I have always had a problem with this xkcd because most sites would disable
your password after a number of bad guesses (making it not really matter that
much), and additionally I don't see where 2^44 comes from. Taking the average
word length selected and then computing the entropy using the average word
length 4 times? Why not use the number of potential dictionary words and raise
that to the 4th?

    
    
        echo "l($(wc -l /usr/share/dict/american-english|cut -d' ' -f1)^4)/l(2)"|bc -l
    
        67.44701327930010565796
    

So we get a better power of 2 and a more accurate estimate. Granted one could
filter the word list down to words that people actually know (which
exceptional people normally know about 75,000 but most people know only
50,000[1]).

    
    
        echo "l(75000^4)/l(2)"|bc -l
    

64.77841190063187168389

    
    
        echo "l(50000^4)/l(2)"|bc -l
    

62.43856189774724695805

So I guess it's still better but it seems like a pretty big oversimplification
to assume a length of word (especially a uniform one) and it shouldn't be that
much harder to calculate the actual value. Maybe I did something wrong, I
don't know.

[1]
[http://news.bbc.co.uk/2/hi/uk_news/magazine/8013859.stm](http://news.bbc.co.uk/2/hi/uk_news/magazine/8013859.stm)

~~~
equivrel
Online bruteforcing is not feasible except for extremely weak passwords or
sites with security vulnerabilities. What is feasible is bruteforcing stolen
password hashes (think Adobe leak) or say a hard drive encrypted with a
memorable password, and this is where secure passphrases come into play.

~~~
williamcotton
Or better yet, deterministic public keys like is seen with bitcoin.

------
peterwwillis
While I applaud the nifty tool, we should be trying to get away from single-
factor authentication wherever practical. It's also possible that the use of
phrases could incur the same mis-use as passwords (common phrases, common
words, reusing the same phrase on multiple sites, etc). Passwords just aren't
a good idea anymore. (Side note: _a lot_ of password fields i've seen limit
you to something like 12 characters; how secure can our phrases be at this
length?)

~~~
equivrel
Don't forget that passphrases are also have security uses other than
authentication: symmetric encryption of private keys, disk/file encryption,
etc. where their use is pretty much unavoidable. Obviously a very long
randomly-generated encryption key saved to a usb stick is more resistant to
brute force than a memorable passphrase, but you still want to symmetrically
encrypt it with a good passphrase to keep it (relatively) secure in case it
gets into the wrong hands.

------
ChikkaChiChi
This is a simple explanation of why passphrasing is better. Please bear with
my laymen's mathematics because this isn't my forte:

Let's us XKCD as an example. Your passphrase is correcthorsebatterystaple but
since you hate typing out things you abbreviate it to chbs.

In most English passwords, you are limited to the characters visible to you on
your keyboard; 52 letters (caps and lowercase), 10 numbers, 32 symbols. That
means each piece of your password has 94 possible options. That means there
are over 78 million possible combinations to be tried to correctly guess chbs.
When you realize that computers can hash through several billion attempts PER
SECOND, your password starts to look like a terrible idea.

By typing out correcthorsebatterystaple, you go from 94^4 to 94^25. This is
what XKCD points out and it's obvious that this is a big gain.

But it gets better than this...

Let's assume that crackers start to use rainbow tables full of common words
used to build phrases like this. Instead of treating passwords by the number
of characters, they start hammering on the number of words that are possible.

Instead of increasing the exponent of the perceived slot, you've gone from 94
possible options to however many words there are in the English language. So
instead of 94^4, you're dealing with numbers like 250000^4.

This is why security people think passphrasing is better than passwords and
why sites like Microsoft that limit you to only 20 character passwords are
assholes. It's not the perfect solution, but it will help.

TL;DR: Passphrasing increases the security in your credentials in more ways
than you are probably thinking. Do it. DO IT NOW.

~~~
crpatino
The spirit of what you mean are right, but the details are all tangled up.

Example 1: "chbs". 94^4 is way too optimistic. Your upper bound is 26^4,
though if you get a smart attacker, he will figure out that 'c', 'h', 'b' and
's' are all more likely than 'x' or 'q' (though less likely than 'e' or 't'),
and prune the search tree accordingly. Honestly, it does not really matter
because with just 4 chars long, he can afford to just brute-force it anyways.

Example 2: "correcthorsebatterystaple". While much, much better than "chbs",
94^25 is completely off-base. That would imply that you are using all
printable ASCI characters in your passphrase. The other figure you mention,
250000^4 is closer to the mark, though it implies you are picking your samples
from a 25,000 word dictionary.

XKCD does not make that assumption, it explicitly uses a small dictionary
(2048 words) to let it clear that you do not depend on picking "epic words"
for the scheme to stand. You can use simple, every day (e.g. easy to remember)
words and still come ahead of the other approach.

------
heavymark
Most all sites I use (several hundred) have password limitations that would
prevent these passphrases from working as they require uppercase, lowercase,
special characters and or numbers or length.

Though ultimately, of all the sites people use, they wouldn't be able to
remember a special passphrase for each and if they are using the same one for
each site that's even worse.

So ultimately it sounds like people should continue to use 1Pass to generate
all the special password characteristics but then use this site's ideas as a
basis for your single 1Password Master Password. Also maybe for your email
account since if you ever lost access to your master password or vault the
only way to reset all your passwords may be via email.

------
nikcub
or shell alias:

    
    
        cat /usr/share/dict/words | awk 'BEGIN{srand();}{print rand()"\t"tolower($0)}' | sort -k1 -n | cut -f2 | head -n 4 | tr "\\n" " "
    

suggestion would be to find a better word list than the default aspell since
that is the entire Oxford dictionary, which isn't as memorable (although it is
an interesting way to learn about new words).

~~~
__david__
Or, if you have GNU coreutils installed (on linux, for example):

    
    
        shuf -n 4 /usr/share/dict/words

------
ivanhoe
Actually this is not such a good idea, this type of passwords is very easy to
break with modern dictionary attacks. Just get yourself a password manager and
generate really random passwords. If you really have to remember the password
then at least try to mix the words with numbers and non-alphanumeric chars.

~~~
gioi
Reynold (Diceware creator) says:

"Five words are breakable with a thousand or so PCs equipped with high-end
graphics processors (criminal gangs with botnets of infected PCs can marshal
such resources). Six words may be breakable by an organization with a very
large budget, such as a large country's security agency. Seven words and
longer are unbreakable with any known technology, but may be within the range
of large organizations by around 2030. Eight words should be completely secure
through 2050."

[http://world.std.com/~reinhold/dicewarefaq.html#howlong](http://world.std.com/~reinhold/dicewarefaq.html#howlong)

~~~
ivanhoe
This type of estimates is relevant for brute force attacks, it's very hard to
estimate how efficient a smart dictionary attack is. It very much depends on
the size of the dictionary used for picking the words and if the words are
picked in a truly random manner... which I really doubt because people will
probably tend to pick short, common words that are easy to spell and memorize.

------
lurkinggrue
Couldn't you just make a ruleset for this? Might make it a bit easier since
it's all dictionary words.

------
_kst_
Why does it delete the blanks between the words?

~~~
lukasm
or at least make it black, gray black, gray

------
ozh
Nice touch on displaying the words on hover

------
oddshocks
"Explicit" option is only option

~~~
opejn
Yes, it makes the passphrases a lot more memorable. But when there's
guaranteed to be at least one taboo word in a passphrase (and it looks like 2+
is likely even with only four words), I think it's reducing the search space
too much.

