Matthew GreenSomebody asked whether dictionary-word passphrases (“correct horse battery staple”, like the ones generated by 1Password) are any good. Short answer: good means different things. Shorter answer: yes!
I’ll talk about why in a thread below.
The basic idea of these passphrases is that you have a dictionary of D words. You pick N words at random. That’s the whole idea. Example: “overlook-hooey-valance-flood-useless-ladyship”.
Cryptocurrency BIP32 passwords use a 2048 (2^11) list, and use 12-24 words per passphrase. 1Password seems to use a larger list, between 18000-18500 words (2^14.15) and you can pick your length (6-8 is common.) https://github.com/1Password/spg/blob/master/agilewords.go
Someone in my timeline asked for papers saying these were good passwords. From a purely mathematical perspective we don’t need a paper, just a toot. But there’s more than math here.
Password quality is about three things: strength (how long til Mallory guesses it, perhaps with a powerful computer), memorability (can you keep it in your head) and usability (can you enter it into a website or device.) Only the first one involves any math.
The math for dictionary passphrases is pretty simple. Assuming you choose words uniformly at random: if your dictionary has D words and your oassphrase is N words long, then there are D^N total passphrases.
The total matters because for a random passphrase the best strategy for guessing is to try all (or most) of them. This D^N determines password cracking time.
A simpler way to do this math is with powers of 2. The 1 password dictionary is about 2^14 in size, so for a 6 word password we get 2^{14*6} = 2^84.
Cryptographers tend to treat anything over 2^80 as “probably good enough to secure your Bank of America account” and anything over 2^128 as “probably good enough to secure really important stuff”. I told you there’d be science.
For comparison, last I checked the Bitcoin network was computing about 2^64 hashes every 10 minutes and using as much electricity as Argentina.
Bitcoin doesn’t crack passwords, but if it could & the entire Bitcoin network was cracking your 6-word 1Password phrase, it would take about 9.5 years on average.
But what about human memorability? Can people memorize such complex passwords? The answer is “yes”, because I just memorized one.
If you don’t accept N=1 studies, then there are a few studies. This one looks at 3-4 word passphrases: https://cups.cs.cmu.edu/soups/2012/proceedings/a7_Shay.pdf
Here is another more recent study that focuses on 56-bit (2^56 strength) 6-word passphrases and discusses strategies that help people memorize them. It turns out that “spaced repetition” (making people learn the password over a period of time) works well enough that many don’t have to write it down. https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-bonneau.pdf
The final barrier is usability: can people actually use passphrases on the Internet? Sadly here the answer is “it depends.” The problem is that many website designers have decided on cargo-cult security procedures like “letters, numbers, special characters required”. Some even institute character limits.
If you’re looking for a recommendation here, I would urge you to do the following:
1. Use a good password manager with a strong random 6-8 word master passphrase.
2. Write it down (one safe place) and practice entering it from memory on a regular basis. You will eventually remember it.
3. Let the password manager generate passwords for individual sites.
There are no guarantees, but this is probably the safest way to keep passwords online.
And finally, as someone reminds me in replies (need quote toot here!): use 2FA/MFA wherever possible. Preferably 2FA/MFA based on an app/YubiKey rather than SMS codes.
(Do not ask me about backing up app 2FA, I don’t have a great answer.)
Also re-reading the early part of this thread I was a little fuzzy on how passphrases are generated, argh.
You have a dictionary of D words. You pick one word at random. And then you repeat this process N times. The clarification is: specific words can repeat more than once within a single passphrase. In practice this rarely happens (for large dictionaries) but it would certainly change the math.
Cassandrich@matthew_d_green Are there any studies on whether you can increase memorability by imposing some structure on the sequence of words but increasing the dictionary size to compensate?
@dalias I thought I saw one with natural language in the title but now I can’t find it.
@dalias In principle, you can do this with algorithms like GPT-x. These algorithms work by sampling tokens output by the model, so each phrase has a known entropy above and beyond the model output.
David Penfold 
@dalias @matthew_d_green you only gain a small amount of extra entropy for each doubling of the word list (from, say, 32k to 64k goes from 15 to 16 bits of entropy per word) whereas each adding of an extra word to the passphrase increases entropy by 16 bits (for a 64k wordlist) for example.
Wilson@matthew_d_green for Italian speaking people it's even easier because we have a lot of slightly different verb forms and we almost never have doubt about how to spell them
Cormac Herley@matthew_d_green Might be worth pointing out that "bunch of seemingly unconnected words" is not the same thing as "uniformly at random." It is extremely hard to get humans to do the latter; esp when choosing from a dictionary where some entries are orders of magnitude more familiar/likely than others.
Daniel Spiewak@matthew_d_green Authy has a really nice 2FA backup solution. The private keys are encrypted locally using a user-supplied password (cached in device secure storage), and the whole bundle is stored on their servers. Since you aren't entering the backup password as part of auth flows, it's very safe to randomly generate something very strong and stick it in your password manager.
Alex Nedelcu@djspiewak What I don't like about Authy is that it's hard to get the tokens out. OTOH, it's cool that you can recover with your phone number. I always worry about all my devices getting lost or burning in a fire.
⁂ Fish Id Wardrobe@matthew_d_green Thank you. This is very interesting, and clear.
But I'm manually picking words at 'random' (from my Fediverse timeline, actually). I wonder how I can tell how big my D is?
Matthieu Weber 🇫🇷/🇫🇮@matthew_d_green You can use diceware for a low-tech way to generate truly random, word-based passphrases with pen, paper and 6-side dice.
See https://theworld.com/~reinhold/diceware.html for the original implementation. There are many more pages on that topic on the Web nowadays.
Joe UchillOne point worth noting:
In situations where it's possible to do so, adding MFA is likely going to be dramatically more impactful than worrying about the difference between words and random characters.
Jeffrey Goldberg@matthew_d_green I don’t think that a word appearing multiple times in a generated password “changes the math” unless you are somehow disallowing such cases. If a word appears multiple times in a list, then you have problems.
Scott Lougheed@jpgoldberg @matthew_d_green Any entropy/crackability calculations must assume replacement no? Otherwise entropy would drop after each selection and odds of selecting a given word would change, violating the assumption that all words have equal chance of being selected.
Olivier Dony 
@scottlougheed @matthew_d_green @jpgoldberg Hmm, but the difference is negligible, given a reasonably large dictionary 🤷♂️
6 words out of 18k words means 2^(6*14.135) possible outcomes, i.e. about 2^84, with or without repetitions.
For a 10-words dictionary, however, there would be an order of magnitude of difference between the repetitions/no-repetition variants.
6 words out of 18k words means 2^(6*14.135) possible outcomes, i.e. about 2^84, with or without repetitions.
For a 10-words dictionary, however, there would be an order of magnitude of difference between the repetitions/no-repetition variants.
@scottlougheed @matthew_d_green @odony true, and it would be easy enough to design as generator to do that, but I don’t see much motivation to do so.
@odony @matthew_d_green @jpgoldberg and to your point, the odds of seeing a repeated word given a large enough dictionary is also likely very limited. I suppose we’re ultimately nibbling at the margins of password strength here.
@jpgoldberg @matthew_d_green Speaking of usability, I find typing those long passwords pretty painful, especially on smartphones. Using spaces as separator rather than hyphens/underscore helps, as you don’t have to switch keyboard mode. Maybe that should be the default for 1Password? 😇
I guess it looks less passwordly though.
No separator at all is nice too, even if it costs a little entropy (in-put-clammy = input-clam-my). Intuitively, I don’t think those collisions put a significant dent in the entropy 🤔
@jpgoldberg What I meant is sampling with replacement (D^N), ie each word is sampled independent from the other words and a given word can be chosen twice in the same passphrase. What I originally wrote sounds like sampling without replacement (D choose N), that is: pick N unique words out of the dictionary, one at a time so that a given word only appears once in a passphrase. The number of passphrases is slightly smaller in the second case.
@matthew_d_green, ah. I didn’t read the original as (D choose N) so I misunderstood your correction.
zhenech@matthew_d_green is there a good (as in brief and understandable for non security people) comparison of SMS vs HOTP/TOTP vs U2F/FIDO 2FA? Any is obviously better than none, and SMS is the weakest, but otherwise?
Taylor R Campbell@zhenech @matthew_d_green Biggest account takeover threat is phishing. Biggest mistake is password abuse: reused or guessable.
U2F/FIDO protects you from takeover via phishing, SIM swap, and password abuse.
HOTP/TOTP protects you from takeover via SIM swap and password abuse.
SMS protects you from takeover via password abuse. Vulnerable to SIM swap if enabled at all, even if unused.
(Password manager also protects you from account takeover via SIM swap and password abuse, without 2FA.)
@zhenech @matthew_d_green Footnote: 1FA vs 2FA is a bit of a red herring.
Passkey is 1FA but protects against the same threats as U2F/FIDO. Likewise ssh keys or TLS client certificates, in their domains (with privacy caveats).
Password from manager is 1FA but protects against largely the same threats as HOTP/TOTP 2FA (with minor exceptions).
SMS is 2FA, but having it enabled at all renders you vulnerable to phishing, if the attacker can pull off a SIM swap—even if you always use U2F/FIDO!
Jeroen@matthew_d_green Dicekeys are a good backup system for U2F Solokeys https://dicekeys.com/faq/#how_do_i_use_my_diceKey_to_seed_a_solokey
Tim Schofield@matthew_d_green The Duo MFA app is free for personal use and is backed up / recoverable / able to be used on multiple devices
Miguel de Icaza ᯅ🍉@matthew_d_green 1password, Microsoft authenticator and apple’s built-in-password can now at least sync that data and make it easy to bring to a new phone
Jernej Simončič �@Migueldeicaza @matthew_d_green Can MS authenticator really do that? The last time I tried, it did not include the 2FA codes, which made the whole thing rather useless.
@jernej__s @matthew_d_green yes, tap add account, other, scan code.
That said, I just saw they are dropping Apple Watch support, so I would avoid it
Eric Grosse@matthew_d_green The best Yubikey backup strategy is for the auth server to allow registering multiple security keys. This has been the canonical solution since the dawn of time, i.e. when security keys existed only inside Google and Yubico.
Also, the auth server needs to allow revoking individual security keys in case of loss, so be sure to give them names at time of registration.
emurphy42@n2vi @matthew_d_green Same for TOTP and probably many forms of MFA in general.
David@matthew_d_green When I set up app 2FA I do so on two separate physical devices at the same time so that I have a backup of codes without resorting to storing/transmitting them anywhere.
thedaveCA@bbc6502 TOTP is easy to backup. Physical keys are harder. I have two, but not all services support two so it only helps to a point.
Nick Lupien@matthew_d_green most recommend printed reset keys to be stored in a safe or some other meatspace.
Jon Sterling@matthew_d_green The fact that we can’t back it up or easily recover from mistakes makes 2FA a nonstarter for most everyday users… And when we have recovery keys, we put them in our damn downloads or desktop folder, which is not better than writing your password in plain text. user level security is not a technological problem, and 2FA is not a solution.
chkaloon@jonmsterling @matthew_d_green agreed. I just went to "back up" my auth app. It shows me the QR code, but I need *another* phone to take a picture of it since I can't screenshot it. Another phone that likely isn't mine...
@chkaloon @matthew_d_green Yeah this is a nightmare. So idiotic.
Jeppe@matthew_d_green Can I keep my 2FA along with my passwords in the same password app?
Antranig Vartanian 
@matthew_d_green what’s the issue with backing up the 2FA app?
@antranigv How do you do it?
@matthew_d_green ummmm... I connect my iPhone to my mac, I click "Backup", and when I get a new phone, I do "Restore".
Same with Android, I do full system Backup, and then just restore.
Haven't use Android in a while, but works like a charm (well, except when Apple decides I have to enter my passcode 245567656455 times) with my iOS and iPadOS devices running... *checks notes* an app named Tofu!
LisPi@matthew_d_green Some password managers, namely #KeepassXC can handle 2FA.
That does technically reduce it to single-factor but anyway, still an option. Adding isolation #Qubes style is probably a good idea to prevent easy compromise .
Regarding #SMS2FA, I've taken to reposting this when someone mentions it: https://pages.nist.gov/800-63-3/sp800-63b.html#-5133-authentication-using-the-public-switched-telephone-network
@matthew_d_green that's exactly what I did, and after a couple of weeks I was confident enough to burn my written-down master passphrase.
Pity I'm using LastPass though...
Jeffrey Vagle@matthew_d_green I find it's helpful to build a (often dadaist) narrative that somehow links the seemingly disjoint words.
felix (grayscale) 🐺@matthew_d_green This is what I do, but out of paranoia I split my passphrase in half and put each half in a different safe place, and then destroy them once I've memorized it.
Logan@matthew_d_green 8 WORDS is enough NOT CHARACTERS for master password. 😃😂💪
For those reading this and still confused.
Natanael ⚠️@llbbl @matthew_d_green that math is based on single characters, not whole words. Diceware at 8 words is 104 bits of entropy. That's not getting cracked anytime soon
Stuart Schechter@matthew_d_green For most people:
1. Your browser has a great password manager (Chrome, Edge, Firefox)
2. The company that makes your browser may also run your email (Chrome & Gmail, Edge & Hotmail)
3. Most of your passwords can be reset by anyone who controls your email account anyway, so...
4. There's little marginal risk to using the manager built into your browser that syncs using your email credentials.
(They don't advertise, so too many people think they need a 3rd party product.)
@matthew_d_green The great majority of people using a password manager are using the one built into their browser, so speaking generally about "master' passwords for password managers without making clear that we're actually talking about their Google/Apple/Microsoft Account password.
(One can't help but wonder if affiliate links and marketing teams are the reason that so much discussion focuses on 3rd party products.)
@matthew_d_green One last note is that Google, Apple, and Microsoft have large teams, and decades of experience, defending against nation state adversaries. It's a good guess that the teams tasked with defending their server and build infrastructure are larger than the entire engineering teams of companies that sell password managers.
Jeff the AlienYay! I'm already following these suggestions. I stored my 6-8 word passphrase on my Yubikey, but have it stored in my memory too.
I use 1Password (finally) with Watchtower enabled to tell me to regenerate some passwords regularly. It also knows which sites support hardware keys.
dunadan@matthew_d_green repetition is the key to learning, I did it with random passwords (32 chars long). Yet there is something which is hard to explain: muscle memory loss. I have never remembered this password as it is; only my muscles did. And one day that memory connection broke and I could not restore it.
@udunadan That’s why Apple makes you enter it every 24 hours.
Also, the thing about passphrases (and I have no science to back this) is that you don’t really learn them through muscle memory. They’re just too long.
@matthew_d_green I do learn them through muscle memory, and that's disappointing because it often gets wrong the sync between the two hands, so I've to retry a lot and sometime just slow down and check every letter
@wilson @matthew_d_green just don't try to think "what do I actually type next" in the process, don't let the conscious part crawl in ;)
@matthew_d_green the thing wasn't that I forgot it; rather, it was a peculiar disconnect from muscle memory. I entered that password thst cery evening, successfully. But I guess most users won't experience the same situation.