7 word diceware passphrase, 18 characters of random letters and numbers, 90 bits of entropy, etc are considered secure against any brute force attack.
But should we really recommend everyone to use passwords that long? I don’t think so. But right now, we do:
We recommend securing your password manager with a diceware passphrase comprised of at least seven words.
My proposal:
We should educate the reader to allow them to generate a passphrase that suits their threat model, instead of just making them use passphrases that can’t be brute forced by anyone in the current day of age.
I can imagine how annoying it would be to type 7 words that I can’t see (password entries are typically hidden, but can be shown) on a phone keyboard. Now, I have to stop and examine those words for misspelling. If I forget and hit enter and it’s wrong, all 7 words need to be typed again.
It is mentally draining, and I used it in the past because I thought I need this to be secure, but in reality this is overkill for almost everyone in the world.
It depends on what you are securing. For example, we know that Bitwarden uses either PBKDF2 or Argon2, which means that you can safely use even a 4-word passphrase as the calculator by Passwordbits demonstrates.
However, for most sites, we don’t know how they implement these things, and thus, using a 7-word passphrase could still be justified. But for most sites, you should probably just use a randomly generated password instead if you never have to type it out yourself.
Well, you only need them for a password manager, your devices, encryption, etc. For registration on sites and everywhere else, generating random passwords in a password manager is the way to go.
My only issue with this is that “threat model” is completely subjective and that it takes people a long time to really understand what a threat model is and how it applies to them. I would like to see some sort of “rule of thumb” suggestions included such as 50+ characters for master passwords, 20+ characters for banking passwords for example.
This is not a safe practice. The password strength testers are good at testing randomly generated passwords, not so good at estimating the strength of non-random passwords like this. Things like misspellings may trick the password test but may or may not meaningfully increase the strength of the password, it is best not to count on it, as many of the common ‘tricks’ people use are not that difficult from a cracking algorithms point of view.
A password that is 2-3 misspelled words has a “length” of 2-3 words, not a length of however many characters.
Assuming a 2 word random password generated by Bitwarden the strength is:
log₂(7776²) = 25 bits of entropy
That makes it just slightly weaker than a 4 character random password:
log₂(95⁴) = 26 bits of entropy
Within the Bitwarden (and I believe 1 pass) community it seems like 4-7 words seems to be the generally agreed upon sweet spot that should suit most people. (this is for the mast passphrase, for everything else just use a strong randomly generated password)
I would like to see some sort of “rule of thumb” suggestions included such as 50+ characters for master passwords, 20+ characters for banking passwords for example.
Your master pass should be unique, complex, and random.
Random, as in randomly generated, not thought up by you.
Unique, as in your master password should not be used as a password for any other accounts
Complex, as in the wordlist or characterset should be sufficiently big (use Bitwarden, or 1password’s generators, or diceware
Passphrases are recommended for master passwords not because they are stronger, but because they are easier for us humans to remember and type, than a randomly generated password.
A target passphrase length of 4-7 words is probably reasonable for most people (50-90 bits of entropy), >7 words if you are extra cautious, but exceeding 10-12 words will have little to no practical value.
While you can use ‘tricks’ to harden your master passphrase further, you should not rely on those tricks, the password should be strong enough on it’s own, even if you assume the attacker knows everything about how the password was generated (this is called Kerckhoffs Law, and is a standard assumption).
For your other passwords, use your password managers random generator, a good target is at least 14+ characters, exceeding ~20-30 characters has little to no practical value in most cases, but also no ‘cost’ as you don’t have to type these passwords manually.
For your password manager and for any other important account that allows it, you should enable 2FA.
You should have a strategy for backing up your password vault.
Biometrics have pros/cons. You should look into on your own. One thing to be aware of is that in some countries like the United States you cannot be legally compelled to divulge a password/phrase, but you can be legally compelled to unlock via biometrics.
suggestions included such as 50+ characters for master passwords, 20+ characters for banking passwords for example.
This indicates to me that you are may be thinking about passwords in an unsafe way. Because almost no human can remember a 50 character randomly generated password, I suspect you are thinking of a passphrase (a password made up of words) but measuring its length in characters which gives a false sense of security. When estimating a strength of a passphrase you count the words not the characters because an adversary would use a wordlist, and the passphrase would be cracked using a wordlist long before it would be cracked using characters. For reference a strong 6 word passphrase is roughly equivalent in strength to a strong 12 character password, a 4 word passphrase is roughly equivalent to a strong 8 character password.
Meeting the minimum standard for password security is not a matter of threat modeling. There are some universal threats on the internet by virtue of being connected to everybody on Earth, and I don’t think we can rightly recommend anything weaker than these minimum specifications.
Sorry I meant for those examples to be examples of “rules of thumb” not as anything someone should use as a guideline for passwords. I should of worded my thoughts more clearly.
For anyone interested in the math, here is the basic formula for measuring a password/phrase’s entropy:
Entropy = log2(Rᴸ)
(where R = the characterset or wordlist (e.g. 26 for just lowercase letters, 95 for all symbols on a keyboard, or 7776 for bitwarden’s wordlist and L = length of characters or words)
So for example a 5 word passphrase from a 7776 word list would be: log₂(7776⁵) = 64 bits
You don’t have to use the formula in practice, but understanding it and playing around with it a bit will give you a more intuitive understanding of the two dimensional nature of password strength (password length and character/word set)
My memory is rusty on how key derivation functions apply. IIRC if you use PBKDF2 (which was the standard until recently) the forumula is Equivalent Entropy = log2(Rᴸ) + log₂(iterations) where iterations are the number of PBKDF2 iterations. So sticking with our same example above but adding 600k iterations:
log₂(7776⁵) + log₂(600000) = 83 bits in other words 600k PBKDF2 iterations would add the equivalent of 19 bits of entropy to the 5 word passphrase (if I am remembering correctly, and got the math right, please doublecheck before relying on it)
edit: and for those who’s eyes glaze over at the mention of Math, a less technical and more intuitive way to quantify password strength is estimating cost to crack
The minimum would be a 4 word diceware passphrase, 7 word diceware passphrase is the maximum, and everything beyond that is just silly.
I would like to know where did this “standard” originally came from and why you consider it to be the minimum.
@xe3 already linked a good blog post that I wanted to share, but he was faster, which shows how much would it cost to crack a passphrase or a password.
This blog post shows what lenght of a passphrase is actually reasonable to use for 99% of people.
FWIW my recommendation of a 4-7 word range is based on what makes sense as a target range “for most people”. I think most everyone will find a point in that range that is sufficient for them, but at the same time the lower end of that range may not be (or feel) sufficient for some people.
So while this is the general guidance I tend to give people, and the cost to crack a 4 word passphrase is still immense, for this community specifically I can understand giving slightly more conservative guidance, since by nature or by necessity we tend to fall on the more conservative/cautious side of the spectrum here.
I personally prefer giving a range that gives people an indication of a reasonably secure minimum, and a reasonably practical upper limit rather than a specific recommendation, but I can also understand why a site like PG would choose a recommendation towards the top end of my range if they are going to give a specific concrete recommendation (“7 words minimum”) as opposed to a range.
Communicating password strength and good password hygiene is a surprisingly hard thing to do. I do not envy those who have to formally give recommendations to a broad audience on this subject.
Many people have a better intuitive understanding of password strength in characters than password length in words, here are some rough equivalents (assuming 95 character set / 7776 word list, and randomly generated passwords):
3 words = 6 characters = ~35-40 bits
4 words = 8 characters = ~50 bits
5 words = 10 characters = ~65 bits
6 words = 12 characters = ~75-80 bits
7 words = 14 characters = ~90 bits
[…]
10 words = 20 characters = exceeds the strengths of a 128 bit encryption key
20 words = 40 characters = exceeds the strength of a 256 bit encryption key
I have been using password managers over the decades, the thing I notice, is the minimal length is an unsafe betting scheme, simple reason been is your belief, will the password hold, what is minimal length today, is a hack tomorrow. I have seen the minimal length scale up in lengths over the decades to it current length at present.
You’re using a password manger for a reason, stop hobbling the program with minimal length passwords, in time you’re going to change those minimal length passwords again and again. Personally, for me, passphrase with lengths of 7–9 words were possible, since I have no intentions of remembering these passwords.
Expert agreed that increasing the length of a password is much more important than adding complexity requirements, such as mandating the use of numbers, letters, and symbols.
But even more important is ensuring that the password is truly random.
Based on the recommendation of Kicksecure, a 7-word passphrase is recommended against classical computing attacks. 1Password has an advantage that other password managers don’t. They have a secret key function, which is why it’s still secure even if they use a 4-word Passphrase.