• Steven Zekowski@freeradical.zone
    3·
    11 days ago

    @thenewoil@mastodon.thenewoil.org
    I use #diceware random words and have never used as few as 3 so this doesn’t surprise me. The author advocates for using #passkeys but I have so far resisted that advice from him and others. Using a #password mgr with a browser extension, passkeys seem to be only a small increase in utility. Also don’t like the “black box” aspect of passkeys: what are they, where are they locally, how secure is this system. Happy to hear how I am wrong to be a passkey skeptic.

  • CubitOom@infosec.pubEnglish
    2·
    11 days ago

    “up to 77.5% of passwords,” created this way can be “cracked using a 30% common-word dictionary subset.”

    I guess passwords that use pseudo-words from the Xkpasswd generator like Sciant-Opsic-Hobshant741&;| wouldn’t be in that subset. However it doesn’t seem terribly secure either but it is easier to remember than a psedo-random password of the same length.

    However the idea of using passkeys irks me a bit since they seem to be dominated by corporate interests. But I admit I haven’t looked for FOSS passkey solutions.

    I normally do a 40 char psedo-random password with all the special characters but sometimes the length must be a lot shorter or limit the special character . also if I’m typing it out it’s a lot harder than pseudo-words.

    What exactly is a passphrase?

    • kbal@fedia.io
      3·
      11 days ago

      They seem to be using a dictionary consisting of the 30% of words in the Brown corpus which are the most common. So a ~20k word dictionary, very small.

      The study does not really tell us anything about what “law enforcement can break.” Nor does it tells us anything about “three random word” passphrases. It tells us that people who do pick a three-word passphrase often do not choose those words well and do much worse than if they had chosen them at random from a dictionary of reasonable size.