Feature request : passphrases

jessycjessyc

Team Member
edited November 2017 in Lounge

Hey,

Just came across a cryptocurrency wallet that requires a 12 words passphrase and, currently, 1Password's password generator is limited to 10 words with dashes. It would be great to increase the word limit and offer a passphrase option, without dashes. I'm guessing this kind of "issue" might become more frequent.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @jessyc: It's definitely something to consider, but given that our Wordlist has over 18k items, roughly 14 bits per word (so a four word pass phrase is 56 bits), 12 words is far beyond overkill: 168 bits of entropy, where we could get 170 using a character-based password with a length of 26. The primary benefit of word-based passwords is that they are easier to memorize and type...but I'd be hard-pressed to do either with 12 words from that list! So while I don't doubt we will increase the supported length in the future, you can get a much stronger password already today (character-based goes up to 64 — and save it in 1Password so you don't have to remember it). Cheers! :)

  • jessycjessyc

    Team Member

    Oh yeah, I definitely agree it's hard to see the benefit of increasing the length of word-based passwords! The thing is, the app I'm using REQUIRES a 12 word passphrase. Not 11 or 13, exactly 12, with no option for character-based passwords.

    I'm sure it's an isolated case for now, and typing 2 extra words manually to get to 12 wasn't that complicated, but it might become more common?

  • rickfillionrickfillion Junior Member

    Team Member

    I would love to know the reasoning for their requiring 12 words like that.

    Thanks for the feedback.

    Rick

  • Overkill? Apparently some crypto is requiring 24 words now.
    Bips39
    http://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

  • brentybrenty

    Team Member

    Oh yeah, I definitely agree it's hard to see the benefit of increasing the length of word-based passwords! The thing is, the app I'm using REQUIRES a 12 word passphrase. Not 11 or 13, exactly 12, with no option for character-based passwords.

    @jessyc: Ah, that is interesting. Sorry about that. My thought was that you could optionally use words, but that they require a minimum of 12 in that case. It didn't occur to me that they wouldn't even allow you to use a character-based password. :unamused:

    I'm sure it's an isolated case for now, and typing 2 extra words manually to get to 12 wasn't that complicated, but it might become more common?

    I'd just generate two 6-word passwords and concatenate them. I will say that the downside to any manual password saving is that 1Password will view it as weaker than it would otherwise (since it is presumed to be human-generated)...but I doubt that will even be noticeable in this particular case. Anyway, definitely something we'll keep an eye on. I appreciate you bringing it up! :blush:

  • brentybrenty

    Team Member

    @AlwaysSortaCurious: I think that's just nuts...until I see the absurd criteria they're using:

    https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#wordlist

    I couldn't begin to calculate the real impact on entropy, but excluding "similar" words and using "smart selection" seems unnecessarily limiting, to put it kindly. :(

  • jessycjessyc

    Team Member
    edited November 2017

    I feel so much more secure with numbers and weird symbols in my passwords :p

  • BenBen AWS Team

    Team Member

    @jessyc

    It is really more about entropy than character set. Character set contributes to entropy, but it isn't the only factor. Additionally words based passwords are much more practical for any passwords you may need to memorize (for whatever reason), read over the phone, type on a mobile keyboard, etc.

    Basically a password with numbers and symbols is not necessarily inherently more secure than one without; there are other factors.

    :)

    Ben

  • @brenty I get the feeling that they decided to implement their own security rather than someone else's, and the rules make it sound better? Dunno, it is doing something for them based on this BIP39 generator

    https://www.ledgerwallet.com/support/bip39-standalone.html

  • brentybrenty

    Team Member

    ¯_(ツ)_/¯

    It seems like it should be sufficient. I just suspect that the sufficient security can also be attained through less Draconian means. But I guess that's why we made 1Password! :lol:

This discussion has been closed.