Security Of Uncommon But Correct English Phrase as Master Password?
I'm trying to make my master password easier to remember than one consisting of four random words from the 1P password generator, as I believe are the current recommendations.
I'm thinking of using a nonsense phrase but an entire phrase nonetheless. However, I'm having a hard time figuring out the exact entropy (measured in bits) of a phrase adhering to English grammar rules, so I can know for certain when the phrase is secure enough.
I know using a proper phrase will cause a drop in entropy because of the decrease in randomness of the order of the words, but by how much?
Would love to hear your thoughts on this.
Cheers.
Comments
-
Hi @MerryBit,
I'm not on the security team and I'm curious to know what they'd specifically say about this, but I think I can give you an answer that's "good enough" for you to move on.
TLDR : you're most likely just fine with that Master Password.
You're right that using random words from our wordlist generator is the current recommendations. But we also need to recognize that this is actually remarkably hard. It's what I do, and I've had the same Master Password for over a year and I still struggle with it a bit. The words mean nothing to me and are completely disconnected from one another. You can reduce the difficulty by generating different sets of words and wait until there's one that speaks to you.
We can calculate the bits of entropy of the wordlist password because it's a mathematical formula based on the size of the wordlist. When it comes to an arbitrary phrase, there's no formula that will give us a number of bits of entropy. So we're mostly comparing apples to oranges here.
What matters here isn't so much bits of entropy so much as strength of Master Password. Using a wordlist based password gives us a high confidence that it's strong because of the number of bits of entropy when generating it. But technically speaking it could generate "one two three four". The bits of entropy calculated when generating that password aren't telling us the strength of the password so much as the odds that this password could be re-generated the same. I think we'd both agree that "one two three four" is probably a pretty bad Master Password.
Meanwhile you could come up with a phrase like "four ducks trot greenly". Since you chose the words and not a cryptographically secure random number generator its effective randomness is relatively low. Despite this, we'd probably both agree that it's a better Master Password than "one two three four" even if the latter could have been generated by a cryptographically secure generator.
I think passphrases are great. It was the strategy I used until I switched to the wordlist based password. My recommendation would be not to worry about the entropy of that approach so much as making sure you're using a phrase that isn't closely tied to you. "tiffany is amazing" is a pretty terrible passphrase for me cause my wife's name is Tiffany. Likewise choosing the favorite saying of your favorite movie character is not recommended. You need to strike a balance between easy to remember but not tied to you, and also not super common. By choosing something that isn't common you're reducing the likelihood of it being in a list of mass passwords to try (which is what an attacker that's trying to access accounts in bulk will use). By choosing something not tied to you you're reducing the likelihood that the attacker can use knowledge of you personally (which is what an attacker that's trying to access your specific account would use).
Without knowing you nor the passphrase that you have in mind it's impossible for me to give you a definitive answer. Don't feel like you must use our wordlist generator to create a Master Password. A passphrase is great, just make sure to put a bit of thought into what you choose there.
I hope this helps.
Rick
0 -
Hello @MerryBit!
I pretty much concur with what Rick said. Using a phrase you devise will be substantially weaker than using our generator, and it is impossible to know how much weaker. But that doesn't mean that it still isn't the right thing for you. A Master Password that you can't reliably remember or type would be a Bad Thing™.
What I will ask is that you read through something we wrote almost a decade ago. Human constructed password words (or pass phrases) are weaker than their creators think. And so I'd encourage you to read Toward Better Master Passwords on our blog from 2012, well before we had our wordlist generator. Consider what is there and make a decision that works for you.
0 -
Hello @ag_ana, @rickfillion, and @jpgoldberg !
Thank you all for your input to my musings, it's much appreciated.
I consider the key takeaway from your replies to be the following:
Any phrase of my own concoction is guaranteed to be weaker than four random words generated by your Master Password generator, but that shouldn't stop me from devising my own master password, because it's better to use a self-made pass phrase that I can remember and reasonably type than a computer-generated one that I can't reliably commit to memory.
I also read the blog post @jpgoldberg pointed me to, and I laughed out loud at the pass phrase suggestion given by Edward Snowden:
That pass phrase settled in my memory immediately, and I've thought about why that was so. My conclusion for now is that it was a) funny and b) surprising. So the task at hand is for me to come up with a master password in the form of a surprising phrase that will make me laugh. I suspect it'll be a concatenation of bits of funny phrases I'll happen to hear in the next few days.
0 -
That seems like a fair analysis. :) Good luck in your quest, and be sure to let us know if you have further questions. :+1:
Ben
0