this post was submitted on 19 Mar 2024
78 points (94.3% liked)

Asklemmy

43755 readers
1511 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] Saigonauticon@voltage.vn 6 points 7 months ago* (last edited 7 months ago) (1 children)

Sure. You can either increase the dictionary of possible words, or increase the number of words or both. Eventually it will become unwieldy. I don't bother with passphrases though.

I generate passwords of sufficient entropy (random ASCII), store them securely (encrypted, key memorized, on dedicated hardware), and never re-use them. I don't trust password managers unless open-source. I don't need convenience -- to some extent, it's my job to manage other people's secrets. Since I'm being paid, no need for shortcuts.

[โ€“] Wes_Dev@lemmy.ml 2 points 7 months ago* (last edited 7 months ago) (3 children)

Same. Pass phrases seem like a solution to a problem that doesn't exist anymore. We don't live in a world where people should be reusing and memorizing strong passwords. We live in a world with frequent user data theft and scams to glean your login info. Just last week, I started getting random login attempts from around the world for a Microsoft account I haven't used in over a decade. No idea when or how that info got leaked.

And people aren't equipped to memorize a different passphrase for all 30 of their accounts.

So, we should do what we always do: Get machines to make the issue easier for us to manage. Right now, that means password managers with a strong master password and secure storage.

In the future, maybe we'll have some kind of creepy central government ID based password-less login method. Who knows?

Edit: Besides, most services require ThIrTeEn dIgIt lOnG PaSsWoRdS WiTh fIvE SpEcIaL ChArAcTeRs aNd sIx nOn-cOnSeCuTiVe dIgItS Of pI ThAt dOeSn't mAtCh aNy kNoWn dAtE Or eVeNt oR SpEcIaL StRiNg oF NuMbErS. It's just too annoying, and I'd have to memorize all the special characters in addition to the phrase.

[โ€“] AndrasKrigare@beehaw.org 4 points 7 months ago

OP kinda already addressed that. A password manager is great, but you still need a master password, so do you use a passphrase for that?

[โ€“] Saigonauticon@voltage.vn 3 points 7 months ago

Yeah, I hate that. Forcing me to input special characters makes my password slightly less secure. Of course I'll include them by default, but now an attacker can eliminate all passwords without special characters. Most people just put the number 1 or a period at the end of their existing, frequently re-used password anyway. Or capitalize the first or last letter. So it doesn't make it really harder to crack dumb passwords.

It's like we've optimized passwords to be hard for humans to remember, but easy for humans to guess!

[โ€“] Schlemmy@lemmy.ml 2 points 7 months ago (1 children)

Those government id based login methods are quite common and very secure. Belgium has a system that used your ID, your phone number and your phone to verify your login. A lot of EU banks have been using a OTP generated by a dedicated hardware that looks like a tiny calculator. The Netherlands has a dedicated app that is verified by your government id and that uses a qr to verify your identity.

[โ€“] Wes_Dev@lemmy.ml 1 points 7 months ago (1 children)

They can be good quality, yeah. But I'm more worried about having to basically present a digital-equivalent of a driver's license if I want to sign up for Netflix, or watch porn, or order food. And if ID system routes every request to a central location first, then you get stuck with de-facto tracking on everything you ever do, no matter how good the company's privacy record is. That's what I meant by creepy.

[โ€“] Schlemmy@lemmy.ml 2 points 7 months ago

Thank God for GDPR. That would be impossible in the EU. ID's can only used in very specific cases that are detailed in the law.