Timeline for Passphrase vs. password entropy
Current License: CC BY-SA 3.0
11 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jan 27, 2020 at 21:09 | answer | added | averell | timeline score: 4 | |
| Jan 27, 2020 at 19:55 | comment | added | Future Security | I anti-recommend "correct horse battery st@ple". Things like that only add a few bits strength while adding more than a few yes or no questions you have to ask yourself if you're trying to remember a password you haven't used in a long time. Was the nth character capitalized? Did I deliberately misspell that word? Was this letter in this position in this word replaced with a 1337speak character? Add an extra word. It's only one additional unit of information you need to be able to remember. If that doesn't sound easier, then just use the "denser" full-character-space password format instead. | |
| Jun 30, 2018 at 18:44 | comment | added | Ben | Those who recommended passphrases would also scoff at the idea of stopping at only 3 words. I never use fewer than 5. | |
| Jan 22, 2018 at 15:26 | vote | accept | dFrancisco | ||
| Jan 20, 2018 at 7:28 | history | tweeted | twitter.com/StackSecurity/status/954616706332274688 | ||
| Jan 20, 2018 at 2:32 | comment | added | Luis Casillas | You should carefully read Thomas Pornin's answer to a question about XKCD #936, because it will show you how you can't say that either passphrases or passwords intrinsically have more entropy than the other. | |
| Jan 19, 2018 at 22:28 | answer | added | Kevin | timeline score: 12 | |
| Jan 19, 2018 at 21:47 | comment | added | AndrolGenhald | @dandavis longer inputs taking longer to hash is only applicable to the first round, and if you're using a decent number of iterations the difference will only be measurable if your password is at least a megabyte. | |
| Jan 19, 2018 at 21:27 | comment | added | AndrolGenhald | Random passphrases aren't necessarily supposed to be stronger than random passwords, they're supposed to be easier to remember. Comparing bad passphrases to bad passwords is difficult. | |
| Jan 19, 2018 at 21:24 | comment | added | dandavis | perhaps. but "correct horse battery st@ple" blows both out of the water, especially realistically when considering how tools like john the ripper and hashcat operate. if you have to transliterate, your 179k words turn into, idk, quadrillions? also, longer inputs take longer to hash, so there's that... | |
| Jan 19, 2018 at 20:58 | history | asked | dFrancisco | CC BY-SA 3.0 |