Elaborate more on passphrase length and strength

It’s a really really small wordlist, doesn’t even have basic words like keyboard or question or weird. This also does not include typos, even adding a single alphabet to the end(eg. abacusa abacusb abacusc etc) already increased the wordlist by 7776*26=202176. You also need to include every possible permutation of caps lock. Have I mentioned adding numbers?

This is why I’m saying that the math is wrong

(also, just adding a single made up word not on the list will turn the whole dictionary attack useless)

Edit: cracking with that list will also fail “correct horse battery staple

1 Like

Idk where you get that “really small” 7776 word list

It is the most commonly used wordlist length. The 7776 wordlist is what Bitwarden and KeepassXC use, it comes from the EFF large wordlist (also 7776 words), which is based on the Diceware lists (also 7776 words). Many (but not all) password managers and password generators use this list length.

So your math ia already wrong

You seem to be missing the point of the math.
Math is not wrong because a variable could be different. The math doesn’t produce set in stone numbers, it differs based on the variables, I chose to use two of the most commonly used values (7776 wordlist, 95 characterset) for my examples. And I made clear (or tried to) that both password length and characterset/wordlist length are variables/inputs that you change to fit your scenario). If you haven’t understood that you adjust those inputs to fit your situation, you haven’t understood the math.

That absolutely doesn’t “make the math wrong” The math works, you just need to use the correct variables for your situation.

This is where you invent fake words

This is both true, and also poor advice to rely on for a strong password. Humans are poor sources of randomness, poor judges of password strength, that is the whole point of using random mathematically complex passwords that are not human created. Using a fake word as part of an already strong password is a fine idea, but relying on a fake word alone or other tricks to make your password strong is less secure. (ironically, that is a big part of what the comic you linked to is intending to explain)

3 Likes

What I’m arguing against is you using the input (7776 wordlist) to also argue against typos, fake words, and other factors when you know really well that even adding a single one of those will either completely break dictionary attack or at the very least exponentially increase the potential combination

Of course, because the equation is exponential, longer passwords are almost always safer than short passwords. But 2-3 misspelled words already exploded the amount of words the dictionary needs to check, making the original 7776 equation not apply.

eg.

This does not letter deletion and permutation. Yes, humans are a bad source of true randomness. But I don’t think we’re at a point where password crackers could accurately predict human randomness

Only conclusion I think we can actually get from the 7776 words variable is, don’t use short default generated passwords