OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years



Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category


powered by pmc2m

 

Passwords or Pass Words?

Preview:

A comparison between using random passwords and what Bitwarden calls passphrases, but I consider pass words.
Girl with 2 good path options

An alternative option to random passwords is the idea of pass words. Bitwarden calls pass words, pass phrases, but they are not phrases. They are 3-5 randomly generated words from a 7,776 word dictionary. The idea is that for your password safe and perhaps a couple of other sites you might type the password into occasionally, or remember, then four words might be easier to type and just as secure.

So, what is safer? Let's start with the basics. To have a good password, it must be a password which no one has ever used before. Numerous data breaches have provided miscreants with hundreds of millions of passwords. If anyone has ever used a password, it is probably in a dictionary available to hackers, so it can be quickly cracked.

So, we all understand random passwords which would look like this:
RzON#@*7j86tkmI5txp3k!haao

while a passphrase will look like this:
Shower@Discern@Anaconda5@Yanking

Clearly, if you ever needed to remember one of these, type one, or tell someone one, then the passphrase is the only way to go. But, how safe is it?

I'll use Bitwarden's password space for these calculations. Bitwarden allows us to choose whether to capitalize each word, what separator to stick between them, and whether a numeral will be included.

There are three factors to consider when understanding or calculating password strength or space.
  1. The set size
  2. The length
  3. Complicating factors
Let's look at a few of these.

Imagine you have a password made up of only lower case letters. That is a base space of 26. Upper and lower would be 52. Upper lower and numerals would be 62. Bitwarden finds that so many sites restrict symbols, that it only allows 8, making the entire space 70 characters.

If your password is 1 character long, then 70 possible passwords would exist. If it is three characters long, then there are 70^3 or (70*70*70) or 343,000 possible passwords. You can see it increases fast. A 15 character password would be: 70^15 or 4.747561509943E+27 4,747,561,509,943,000,000,000,000,000

Now, a 4 word passphrase with 7,776 words possible means 7776^4 or
3.65615844006298E+15

With each word capitalized or not and any of 8 characters between the words, then we have 16 times as many or 5.84985350410076E+16

A 4 word passphrase is about has difficult to crack as an 8 character random password.
A 5 word passphrase is roughly equivalent to a 10 character random password
A 6 word passphrase is roughly equivalent to a 12 character random password.

I don't find this good enough, so I'd alter any of the options created by Bitwarden. First off, we don't need to limit ourselves to only 1 character between words or all caps or not. The same with numerals so Bitwarden's Shower@Discern@Anaconda5@Yanking

Could become
Shower333@Discern@;;;Anaconda5@Yanking

So, I just inserted 3 threes and three ; symbols. Otherwise, everything remains just as Bitwarden created it. Merely not following Bitwarden's system and changing something, will make it fall outside the parameters which an attacker might try if they expected you to follow Bitwarden's suggestions completely. Once you stop following the rules, incalculable options manifest. The attacker can no longer just guess words in a dictionary separated by a single separator.

This makes these passphrases a potentially useful option.






Date: September 2024


Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

 
 
  Please direct questions/suggestions about website to the webmaster