Nowadays, most people use password managers (hopefully). However, there are still some passwords that you need to memorize, like master password (for a password manager), phone lock, wifi password, etc.

Security wise, can passphrase reach the strength of a good password without getting so long that it defeats the purpose of even using it?

  •  AndrasKrigare   ( @AndrasKrigare@beehaw.org ) 
    81 year ago

    One caveat I’d want to note is for the underlying methodology that uses:

    As this study by Joseph Bonneau attests, people frequently choose common phrases in addition to common words. zxcvbn would be better if it recognized “Harry Potter” as a common phrase, rather than a semi-common name and surname. Google’s n-gram corpus fits in a terabyte, and even a good bigram list is impractical to download browser-side, so this functionality would require server-side evaluation and infrastructure cost. Server-side evaluation would also allow a much larger single-word dictionary, such as Google’s unigram set.

    As another example, the passphrase “This password is good” is claimed to take centuries to crack, but if the search space were narrowed down from a sequence of words to grammatically correct sentences, certain passphrases would be much weaker than this would show.