DEV Community

loading...

Creating and Remembering a Strong Passphrase

Lane Wagner
Golang and javascript dev interested in distributed systems and cryptography
Originally published at qvault.io on ・3 min read

By Lane Wagner

We all have hundreds of online accounts. Ideally, as many of those accounts as possible have unique passwords. Unique passwords however present a difficult problem:

No one can remember hundreds of strong passwords.

To fix this problem, we created password managers. Now, all of our passwords are neatly stored in one place, encrypted by one master password or passphrase. The problem with this of course is the master password or passphrase needs to be very secure.

Which should be used? A password or passphrase?

Passphrases are Better Than Passwords

https://xkcd.com/936/

This XKCD comic does a good job of explaining the difference between passwords and passphrases. A password is easier for a computer to guess (less entropy), and also is much harder to remember! There is NO REASON we should be using passwords.

Entropy

You may have noticed in the comic that the example password has 28 bits of entropy while the passphrase has 44. Entropy just means the number of possibilities that an attacker would need to guess in order to crack a password or passphrase.

For example, a recovery code on a qvault card has 16 characters, and each character has 58 possibilities. This means that there are:

58^16 = 16,400,152,899,115,243,850,138,976,256 possibilities.

If we take the base 2 logarithm of the number of possibilities then we arrive at how many bits of entropy the recovery code contains.

log2(58^16) = 93.73 Bits of entropy.

The chart below gives a rough idea of how long a given password or passphrase will take to crack based on how many bits of entropy it has and how many guesses per second the attacker can make (which depends on their hardware).

entropy chart

How to Remember

Now that we have covered why and how a passphrase is safer than a password, lets look at how to create a memorable passphrase. The key to a memorable passphrase is imagery. The idea is to take 4 or 5 random words, and use those words to create an image in your head. The more ridiculous the image, the easier it will be to remember.

The correct horse battery staple from the above XKCD is a good example, but I’ll give you another one. Let’s pretend you are trying to remember:

banana army acid nose spray

I would probably imagine an army of bananas doing acid while being sprayed out of a giant nose. If I repeat “banana army acid nose spray” out loud a couple times while imagining this ridiculous scene, then I can memorize it in just a couple seconds.

Repeating it a couple times allows you to remember the exact order of the words, but picturing the image is what will cement ii in your mind for the long term.

I hope this helps you create secure passphrases! As always, stay safe online! Its a dangerous place.

The post Creating and Remembering a Strong Passphrase appeared first on Qvault.

Discussion (1)

Collapse
simbo1905 profile image
Simon Massey

You can backup your passphrase using Shamir's secret sharing scheme. You decide how many shares will be needed to recover the passphrase and how may shares exist in total. You then distribute the shares to safe places in case you ever need them. I know a cryptocurrency wallet that uses this algorithm for users to be able to always recover their bitcoins.

You might decide five shares in total and that at a minimum three must be combined to recover the passphrase. You can then distribute them. You might give one share to each of three trusted friends and write down two shares and lock one you office and one in your apartment. That way if you ever forget your phrase you can recover three shares and recover your passphrase. Meanwhile, it's very hard for anyone else to obtain three of the five shares to steal your passphrase. In the Bitcoin scenario, you can list the location of all the shares in your so that your digital wallet passphrase can be recovered by your heirs.

I ported a Java implementation of Shamir’s scheme to JavaScript and published it on npm. It is called simply “shamir”. The code is up on github.