depending on what you mean by passphrase, “dictionary resistant” is kind of the opposite of how I’d describe them. Sure they’ll be long and unique but an english language dictionary will surely make bruteforcing them a lot easier
my main opinion is just that simple pass phrases ala: https://xkcd.com/936/ can be brute forced with an english dictionary which is super predictable. tossing in leet speak or a caesar cipher or almost anything else is unpredictable enough to make that risk pretty low unless the attacker knows you are using it.
From what I understand it doesn’t help at all. I’m not a crypto (cool crypto, not fake banking) guy but from what I know passphrases generate much entropy. That said, I stick with passwords that are easier to enter, but still pretty high entropy
hmm. you know I haven’t done the math in a while but you might be partially right. It definitely does still help to use a dictionary for passphrases, but especially if you include all the words in the english language, not just a much smaller subset like diceware, and if you add anything to dress it up a little, it can still be pretty hard to crack… before password managers were a thing I was known to do like 3-5 random words plus 2-4 digits, and maybe a punctuation character if I was feeling spicy. A pre-calculated hash/rainbow table attack is not feasible if the password hashes are properly salted but a plain wordlist/dictionary attack still is
For the curious, I came up with something like 650-700 years on average to crack a 4 random word passphrase at 20 billion tries/sec (that rate was a real life example sourced from some pentesting firm’s site) if your word list includes every last word in modern use in english (171000 words). If your wordlist is only 2048 common words (like diceware) though, that’s like 10 minutes or less.
xkcdpass (based on the well known comic) by default uses the EFF’s long wordlist, which is 7776 words I believe, so a 4 word passphrase from that would average about 24 hours to crack at that same speed. Not great but if you spice it up with digits, special chars, etc then maybe that’s okay for the average person. But it’s pretty long to type out especially on mobile.
depending on what you mean by passphrase, “dictionary resistant” is kind of the opposite of how I’d describe them. Sure they’ll be long and unique but an english language dictionary will surely make bruteforcing them a lot easier
that’s why you use pig latin
I’ll stick with 1337 5P33K
that’s very common, widely understood and easy to replicate, i.e., not that great
make up your own 1337 5p33k with 3 characters changed
I simply become the zodiac and convert my pass phrase to a cipher
I mean it’s better than pig latin lol
my main opinion is just that simple pass phrases ala: https://xkcd.com/936/ can be brute forced with an english dictionary which is super predictable. tossing in leet speak or a caesar cipher or almost anything else is unpredictable enough to make that risk pretty low unless the attacker knows you are using it.
multiple language passphrase and proper nouns
From what I understand it doesn’t help at all. I’m not a crypto (cool crypto, not fake banking) guy but from what I know passphrases generate much entropy. That said, I stick with passwords that are easier to enter, but still pretty high entropy
hmm. you know I haven’t done the math in a while but you might be partially right. It definitely does still help to use a dictionary for passphrases, but especially if you include all the words in the english language, not just a much smaller subset like diceware, and if you add anything to dress it up a little, it can still be pretty hard to crack… before password managers were a thing I was known to do like 3-5 random words plus 2-4 digits, and maybe a punctuation character if I was feeling spicy. A pre-calculated hash/rainbow table attack is not feasible if the password hashes are properly salted but a plain wordlist/dictionary attack still is
For the curious, I came up with something like 650-700 years on average to crack a 4 random word passphrase at 20 billion tries/sec (that rate was a real life example sourced from some pentesting firm’s site) if your word list includes every last word in modern use in english (171000 words). If your wordlist is only 2048 common words (like diceware) though, that’s like 10 minutes or less.
xkcdpass (based on the well known comic) by default uses the EFF’s long wordlist, which is 7776 words I believe, so a 4 word passphrase from that would average about 24 hours to crack at that same speed. Not great but if you spice it up with digits, special chars, etc then maybe that’s okay for the average person. But it’s pretty long to type out especially on mobile.