Wladimir PalantJan 30, 2023

Password strength is a very confusing concept, which has shown very clearly in the discussion around the #LastPass breach and #Bitwarden flaws. I tried to make it as easy to understand as possible, not sure whether I succeeded.

https://palant.info/2023/01/30/password-strength-explained/

TL;DR:
· Password managers are a single point of failure, so their master password has to be strong.
· What looks strong to you isn’t necessarily a strong password.
· Long passwords aren’t necessarily strong. Case in question: “choose a phrase from a song.”
· I suspect that almost all real-world passwords have less than 35 bits of entropy. Especially with zxcvbn considering 33 bits as “strong” and even password manager vendors not questioning that.
· AFAIK the only realistic way to get a strong password is generating it randomly.
· Diceware is a good way to generate passwords that are both secure and rememberable.
· “Regular” people don’t need more than four words (using a word list for five dice). Valuable targets need five words for better protection, someone who could become a target of a state-level actor should be safe with six words.

Password strength explained

I try to explain how attackers would guess your password, should they get their hands on your encrypted data. There are some thoughts on the strength of real-world passwords and suggestions for your new password.

Almost Secure
Show threadMichael Jarrett
@WPalant https://xkcd.com/936/
Password Strength

xkcd
Jan 30, 2023 at 7:18pmWeb
Show threadWladimir PalantJan 30, 2023
@Lownewulf You are welcome to take at least a cursory glance at the article.
Show threadMichael JarrettJan 30, 2023
@WPalant sorry about that. I lost your link in your "TL;DR".