they also show they missed the point of the comic by pushing adding in numbers and special characters instead of something easy like adding another word or two.
MathijsRiezebos Wrote:straygecko Wrote:
Actually, using just one common substitution and an extra character between the words of your passphrase somewhere can still significantly increase the security of your passphrase.
Only using lowercase, UPPERCASE, camelCase or ProperCase words in a password, even if you add one or two extra, can even be less secure and it makes your password way longer to type.
I think that their example there is actually pretty good. A passphrase of between 15 and 20 characters that consist of a few semi-random words with just one or two random character swaps/inserts would, in my opinion, provide the optimal balance between security and ease to remember and type.
straygecko Wrote:Semi-random words is a bad idea and seriously erodes the strength of a password. There was a study of passphrases actually in use and the semi-randomness (IOW not random at all) of the words let them find the passwords in hours.
Adding a separator character between words only adds a small factor - the number of possible separator characters or human beings what they are the number of typically used separators. Maybe another factor of 6 if you only use it between some words (4 word passphrase). So lets say 6 possible separator characters times 6 for using it between only some words. That's only a factor of 36. Yes, if you want to get complicated and possibly use a different separator between different word pairs but we're getting further and further away from easy to remember.
Same kind of thing for change case of first letter of words or upper casing some words. 3 options for each word - all lower, all upper, first capitalized. 4! combos so 24 * 3 is a factor of 72.
Assuming you did these things randomly (most people don't), combine the two and you get a factor of about 2600. Compare that with an additional random common English word of 20,000. I think most people are going to find the additional word easier to remember and type and they will get a much stronger password.
MathijsRiezebos Wrote:I think that their example there is actually pretty good. A passphrase of between 15 and 20 characters that consist of a few semi-random words with just one or two random character swaps/inserts would, in my opinion, provide the optimal balance between security and ease to remember and type.
Users browsing this forum: No registered users and 19 guests