Campa

Does Mnemonic Passcode more secure than normal password?

https://lemmy.world/post/2510801

Does Mnemonic Passcode more secure than normal password? - Lemmy.world

I recently tried out a decentralized private messaging tool, it didn’t ask for my personal information to register. Instead, it only asked me to create a username and set a password, after which it provided me with a mnemonic passcode. (I had never used a mnemonic passcode before, but I learned that it’s a web3 or decentralized type of thing.) On their FAQ page says “The Mnemonic Passcode is your ONLY SOURCE of backup in a scenario where your device breaks down or becomes unusable due to any reason. In such cases, all you need is your Mnemonic Phrase to recover all your account information. It must be copied, screen-shotted, or written down and kept in a safe and secret place until it is needed.” Does Mnemonic Passcode more secure than usual password? Plus, is there any other ways to keep you mnemonic phrase?

Aug 2, 2023 at 9:53amWeb
Show threadJat620DH27Aug 2, 2023
Many Web3 wallets, such as MetaMask and Uniswap, use Mnemonic Phrases to improve security. Which app you are referring to?
Show threadCampaAug 2, 2023
Called WireMin
Show threadæjineiAug 2, 2023

I tend to add them to my password manager, which funnily enough also has a recovery phrase which I just keep written down somewhere safe.

xkcd comic regarding your question of pass phrases vs passwords.

Password Strength

xkcd
Show threadCampaAug 2, 2023
Lmao, aren’t you doing the same thing for another round? But password manager do makes everything easier, I wonder is it decentralized as well? Cuz if it have a central server to keep all user’s passwords, it might not be safe tho.
Show thread7Sea_SailorAug 2, 2023
Classic password managers are not decentralized, and why would they be? If you’re worried about storing your credentials on one central server (the official one), there are plenty of very good options for selfhosting a password manager on your own infrastructure. I will always point out the Vaultwarden project, an implementation of the Bitwarden API thats very efficient on ressources and works near flawlessly with all apps and extensions. A wonderful addition to your homelab or VPS.
GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs - dani-garcia/vaultwarden

GitHub
Show threadc1177johukAug 2, 2023
I can’t recommend KeepassXC enough. And it’s not even hosted either, it’s a simple keepassxc database file. Sharing it across devices is done using any file server or service you want to use.
Show threadcloudpunkAug 2, 2023
I will never not read it as keep ass
Show thread9488fcea02a9Aug 2, 2023
Oh shit… Cannot unsee now
Show threaddorkian_grayAug 2, 2023
I admire your dedication!
Show threadkill_dash_nineAug 2, 2023
After having gone to solutions that allow for simple and seamless password sharing between users, it’s hard for me to go back. Last I checked, none of the Keepass solutions could really seamlessly share passwords and have them update in some fashion without manual user intervention. That being said, I used it for a long time in my Dropbox and then Own/Nextcloud before moving to a password service, Lastpass and then Vaultwarden after the Lastpass security fumbles.
Show threadd3Xt3rAug 2, 2023
Instead of * warden, just use the tried and trusted KeePass, no need to run your own server. KeePassXC is a nice open-source alternative client, and KeePassDX is it’s Android equivalent. You can keep your password file in sync with other devices by using your favorite cloud backup or sync tool. The best part is, KeePass supports auto-type, which *warden and other cloud-based password managers don’t. Auto-type is handy when you want to input your password into a program that’s not a web page, or you’re accessing something via remote desktop etc.
Show threadglibg10bAug 2, 2023
I generate mine with xkpasswd.net
Show threadlnxtx (xe/xem/xyr)Aug 2, 2023

They are generated on the server’s side, not by JS.

Use with caution.

Show threadglibg10bAug 3, 2023
Thanks, I’ll stop using it. I don’t want my passwords to end up in some wordlist
Show threadHauiAug 2, 2023
This exact comic was what led me to change my whole password philosophy. Since then, I have hundreds of easy to memorize but insanely long passwords. I love that comic.
Show threadTaringanoAug 2, 2023

I wish I could do that it every place apparently feels the need to invent a new requirement for password composition.

1 symbol, then 2 symbols, then at least 2 numbers, then can’t have some “easy to guess words” in the middle (like wtf?) or require maximum of 12 characters. It’s so frustrating. It’s impossible to have a easy to remember passwords because all of them have to be slightly different depending on the case.

And what pisses me off the most is they don’t tell me when I am. Authenticating “remember this one’s needs 2 symbols and at least 10 characters” or whatever.

Sorry I get really worked up. About this.

And the worst part is the least important the service the more requirements it has.

Show threadHauiAug 2, 2023
Yes, tell me about it! The fact that services just do not tell you their requirement sometimes really sucks. I mean, if you cant do easy and you have a vault then you can go generated for those sites and done. I do have some site specific passwords too but mostly they’re easy to remember and insanely long.
Show threadits_pizzaAug 4, 2023
And then you use a generator and vault, but there’s some stupid caveat like “you can’t use the ^ character.”
Show threadHauiAug 4, 2023
Yeah, but in bitwarden you can define the used things iirc.
Show threadchickenAug 3, 2023

It might be good enough for web passwords, but coming up with your own mnemonics is not truly secure because there are discoverable patterns in anything people come up with themselves, it isn’t actually random. If you order words in such a way to make it easier for you to remember it also makes it easier to bruteforce. Lots of crypto wallets where people tried to do this were remotely drained.

Doing this is only safe if the words are selected with secure RNG of some kind.

Show thread𝜏auAug 2, 2023

It is (or can be) just as secure as a non-mnemonic passcode. The mnemonic aspect just helps with typing it out without errors.

You’re not really supposed to remember the mnemonic pascode, but save it in your password manager or print it out and store it in a secure location.

Now if you need to use your printed out mnemonic passcode, you just have to type in a bunch of normal words instead of a very long list of random characters and symbols, where it’s easy to make mistakes.

Show threadCampaAug 2, 2023
I always thought it is for enhancing security
Show threadJajcusAug 2, 2023
In enhances security by allowing high-entropy passwords to be easy to remember and write, so you have no incentive to use short/simple low-entropy (insecure) passwords.
Show threaddonut4everAug 2, 2023
Anyone knowledgeable enough to know if a quantum computer can still crack those passcodes?
Show threadaebrerAug 2, 2023
My understanding (limited) is yes. If you want quantum secure cryptography you need to use specific algorithms designed for it.
Show threadCampaAug 3, 2023
Sounds expensive(time) too
Show threadPseuAug 2, 2023
Quantum computers don't break encryption by guessing passwords, it breaks encryption by being able to quickly factor extremely large numbers. What password is used doesn't matter, it's a more direct attack on the algorithm itself.
Show threaddonut4everAug 2, 2023
Sounds badass.
Show threadU+1F914 🤔Aug 2, 2023

The security of a fully random password depends on the number of available symbols (alphabet) and the length.
The strength of the password is simply symbolcount^length.

For a conventional password the symbols/alphabet are characters, numbers and special characters.
For a mnemonic the symbols are simply full words and the “alphabet” is a list with a couple thousand words.

Mnemonic passwords are secure because of their large alphabet, and easy to remember because human brains are good at coming up with associations (usually stories) for random words.
If you want to generate your own mnemonic password you can try diceware.
With diceware you roll a few dice to select random words from a list.

Diceware Passphrase Home

Show threadglibg10bAug 2, 2023
Lemmy has superscripts. symbolcount^length^ produces symbolcount^length^
Show threadrandomaccount43543Aug 2, 2023
Doesn’t show in vger.app
Show thread👁️👄👁️Aug 2, 2023
Dunno but I find them super annoying and a bitch to work with my password manager
Show threadRoosterAug 3, 2023
“Security” isn’t a fair comparison here. They’re apples and oranges. Passwords are secrets for authentication. Mnemonic passcodes encode information. Like a private key, so you DO want to keep it secret but it’s much more functional than a password.