Where should I not use a passphrase?

So is it fine to use a passphrase anywhere?(for average user)
I found them so much easier to work with.

I found this explanation confusing. vvv

FAQ: What are some BAD use cases for Diceware?

You should not use Diceware in any cases where it is highly likely an attacker can get a copy of your encrypted password and use high-volume cracking attempts against it. A bad case–possibly the worst case–for using Diceware would be to secure your BitCoin wallet, because all BitCoin nodes have a copy of the BitCoin Ledger, and an attacker could attempt password cracking your wallet.Better still, don’t use BitCoin. (Seriously, avoid crypto and NFTs.)

Source: https://diceware.dmuth.org/

The advantage of diceware passphrases is that you can accurately calculate the entropy that a certain passphrase has, and therefore how difficult it is to crack.

I would say that using truly random diceware passphrases across the board is fine, as long as the password has enough entropy (such as a diceware passphrase with 7-10 words using the EFF large list).

The issue is that a lot of websites wrongly require your password to meet extremely specific, yet arbitrary requirements such as “Your password needs to be longer than 8 characters, shorter than 20 characters, it needs to contain 17 special characters and you need to chant OPEN SESAME! every time you input it to login”.

In those cases, the service you’re using is actively preventing you from using a diceware passphrase with enough entropy (the service needs to allow your password to have considerable length, for example).

In those cases, you should be using your password manager’s password generator to generate a password that meet that website’s or service’s criteria.

If you haven’t already, I highly recommend you check out our Introduction to Passwords Knowledge Base page for more information!

1 Like

I would say the problem is that there are a finite number of words which folks usually choose from when using diceware.

That way, with enough computing power, the chances of it being cracked are much bigger.

With normal websites though, the service usually blocks you for a set amount of time after multiple failed login attempts, so bruteforcing all possible diceware combinations is much less likely to happen.

1 Like