What should password/phrase strength be for online accounts?

I know that the bits of entropy should be high when dealing with offline/local items, like desktop encryption or KeePass databases. I personally aim for 256+ bits of entropy for those items. But what should the ideal range be for online accounts?

I’d like to add that most online accounts should really be locked behind a randomized password that is held within your password manager, but I’m referring to specific instances in which you would want/need to memorize it.

In my situation, I use passphrases for important online accounts so that I can log in on a whim if I needed to. There should be a point of diminishing returns for how long those passphrases should be, no? If any of you guys could help me understand this, I’d appreciate it.

If the data protected by the password is important to you, or has significant financial value, you should always consider an offline attack. Even when the provider has done it’s homework, and the password authentication is done correctly, and you only have a limited number of tries online - the actual authentication database is always at risk of being exported / stolen thus enabling an offline attack.

I’m also of course assuming that all your passwords everywhere are unique and with no relation between them.

I would generally currently aim at approximately 75 bits of entropy for a memorable password, and probably try to change it at least once every year or two. If you’re not a very targeted individual, while it’s still possible to brute-force a 75-bit password, in practice it’s both expensive and time-consuming. With a change every now and then, the risk of compromise gets very low.

Due to Moores law etc, you should probably add a bit/year, so in 5 years - go for 80 bits etc. Some providers will wrap your password in a computationally expensive iterative algorithm, and hopefully they will also increase the iterations as the hardware gets faster, thus adjusting for this factor. But unless you know this is a fact, you can’t rely on it. Also, if you don’t change your password, an old database will become subsequently easier and easier to crack with time.

As always, there is no absolute truth here, so your mileage may vary and others may have other opinions on this matter.

2 Likes