How strong a password/passphrase for a password manager should be?

Jeveri

The title.

[deleted]

Jeveri I'd say between 15 and 20 alphanumeric characters, but it doesn't matter, the real security is a fido key. You'll find one for around 25€ at yubikey, but there are other brands. Choose a simple past tense sentence to remember:

.ilsbipmcmhars2009.
Which means:
.I love spinach but I prefer my car my house and rum since 2009.

Backwards876

What kind of a question is this? This isn't a grapheneOS question.

But to answer it, just use dice ware. A 4 word random dice ware password with a random number and special character sprinkled in is more than secure enough.

See these videos;
https://invidious.nerdvpn.de/watch?v=Pe_3cFuSw1E
https://invidious.nerdvpn.de/watch?v=3NjQ9b3pgIg
https://invidious.nerdvpn.de/watch?v=Z15kFt00poQ

And just go to the original website;
https://theworld.com/~reinhold/diceware.html

mmmm

Backwards876 A four word diceware password is nowhere near enough. 8-10 minimum, especially if it’s a password database and able to brute forced any way.

[deleted]

Backwards876

It's marked "off topic" and there are plenty of non-Graphene questions asked here everyday.

Lukas

Backwards876 What kind of a question is this? This isn't a grapheneOS question.

This post is marked as off-topic, which means it can be anything about security, privacy, etc.

Backwards876 But to answer it, just use dice ware. A 4 word random dice ware password with a random number and special character sprinkled in is more than secure enough.

This is the most relevant reply and advice in all of this thread, but there is no need for a random number or special character because the four-word diceware passphrase generated from the EFF long list is already enough for the majority of people.

mmmm

My database needs an 17 word diceware password, chosen with real dice, plus a key file to access it.

Lukas

mmmm My database needs an 17 word diceware password, chosen with real dice, plus a key file to access it.

mmmm A four word diceware password is nowhere near enough. 8-10 minimum, especially if it’s a password database and able to brute forced any way.

This is astronomically overkill, and giving people such advice is harmful because it will either waste their time and give them a burnout at some point or scare them away from using a password manager if they need to use astronomically overkill word counts like you recommend.

For those who, for some reason, want a passphrase that couldn't be brute-forced, even if a few nations collaborated on doing it for thousands of years, they can use a 90 bit or 7 diceware word passphrase generated with an EFF long list.

bayesian

At least 100 bits of entropy. That's my threat model. You don't need to outrun the bear you just to run faster than another sucker. So having 100+ bits of entropy makes you in the 0.1% of all suckers

[deleted]

The most important thing is to secure your do base with a fido... I'll say it again. And in every pixel you have an integrated one: the titan chip, which you can choose with bitwarden, for example.

Phead

As much as you are willing to remember and type on an average smartphone keyboard. I remember someone arguing an 8 word passphrase with a 120 bit entropy is reasonably secure for an average user (+ whatever 2FA options you have).

SoulKeeper

For critical accounts, I use 128bit alpha numeric passwords and for less important accounts, I use 64bit alpha numeric passwords.

mmmm

Lukas No, giving advice for a 4 word Diceware password is harmful! In 2014 the inventor of Diceware himself said that the minimum should be 6 words. And that was in 2014. Before going off at me, check your facts please.

https://diceware.blogspot.com/2014/03/time-to-add-word.html

My password is no doubt overkill, but I didn't advise anyone else to do this - I merely stated what I did. I want it to be overkill, because I keep this file on Dropbox due to the need to use it in random places.

Lukas

mmmm This outdated blog post in the best-case scenario just proves that I'm right, and the 4 word diceware passphrase generated from the EFF long list is enough for the majority of people, assuming you're using a good password manager like KeePassXC/DX, Bitwarden, or 1Password.

mmmm My password is no doubt overkill, but I didn't advise anyone else to do this - I merely stated what I did. I want it to be overkill, because I keep this file on Dropbox due to the need to use it in random places.

If you want it to be overkill to the point where you could even make your encrypted database available publicly on Facebook without any worries whatsoever, then 8 diceware words are more than enough.

Phead

Lukas

Well, the EFF themselves recommend a six-word passphrase. I, however, usually choose something between 7-8 words. Maybe I'm paranoid but I prefer to invest the time to remember such passphrase only once. That's why I choose a slightly longer phrase, just to be safe when 4, 5, or 6 words become less secure (not saying it's gonna happen anytime soon). It's a bit tinfoil hat thinking, I admit that, but I know I'd hate to invest another week just to imprint an new passphrase.

Anyways, when you use a good password manager with a strong password and encryption, why not use 20 word passphrases all over the place? It's not like you have to remember or type any of those.

I think the bottom line here is that you're reasonably safe when you choose a passphrase with at least 4 to 5 long words, more if you dare.

Lukas

Looking at how long it would take to crack a password is also flawed. What matters more is how much it would cost in terms of hardware, electricity, and efforts, and then how long it would take.

Lukas

Phead I think the bottom line here is that you're reasonably safe when you choose a passphrase with at least 4 to 5 long words, more if you dare.

I agree.

Lukas

Phead Well, the EFF themselves recommend a six-word passphrase. I, however, usually choose something between 7-8 words. Maybe I'm paranoid but I prefer to invest the time to remember such passphrase only once. That's why I choose a slightly longer phrase, just to be safe when 4, 5, or 6 words become less secure (not saying it's gonna happen anytime soon). It's a bit tinfoil hat thinking, I admit that, but I know I'd hate to invest another week just to imprint an new passphrase.

As long as you don't type your passphrase when cameras or people are able to see it over your shoulder, this approach should work well.

mmmm

My crypto wallet forces me to use a 25 word Diceware password. Thats overkill. But the fact of the matter is that 4 words barely achieves 70 bits of entropy depending on the words selected, and that's assuming one 'does it right' using true randomness. Not knowing any facts at all, such as what password manager they use, where their database is kept, how sensitive their database contents are, what type of encryption they have chosen, whether or not they're using multiple factors to unlock, what their threat model is; I strongly believe that suggesting a mere 4 words its absolutely bad advice. You're welcome to your opinion, of course, but its bad advice nontheless.

Phead

mmmm I strongly believe that suggesting a mere 4 words its absolutely bad advice

I feel that way too, without any mathematical proof to support this however irrational feeling, but, to be honest , it's actual work to remember a 8-word passphrase and type that damn thing without errors on a smartphone keyboard (when you choose or are forced to login without biometrics). I have not experienced the willingness of an average person to invest this much work for a password yet, especially on business level. So, a 4 word passphrase might not be as safe but a least a good start - and almost indefinitely more secure than "Honeybear1965" through "Honeybear2065".

mmmm

Phead I do agree, it's a ball ache, especially to type on a smartphone. Four words is definitely more secure than anything most people choose, but I don't believe in replacing one bad practice with another.