> confirmed that “up to 77.5% of passwords,” created this way can be “cracked using a 30% common-word dictionary subset.”
Correct me if I’m wrong, but doesn’t this mean that up to 77.5% of passwords known to be exactly three words can be cracked using a 30% common-word dictionary subset?
First time I hear of this "three words" - is this actually promoted? Canonical "correct horse battery staple" is 4. 5+ truly random should still be strong.
Ditto. I use 5 to 6. Also, the problem with recommending passphrases is that I don’t see a decent explanation from those recommending them as to how they work. Yes, I get that they are public key cryptography, but the details of the actual implementations (each seems different) make them confusing. And where there is confusion there is room for exploitation.
For a long time I used the "KeePass" family of password managers (KeePass2, DX, XC, etc.)
Their feature set seemed calibrated for the truly paranoid cypherpunks, and I rolled with it.
Then I began taking a critical look, and the first thing I noticed was that their dev team was a bunch of nobodys with creepy aliases and mostly seemed based in the E.U., definitely not USA/5 Eyes or anything.
Okay, well, critical security component is controlled by Euro-spooks, no problem...
I never seemed to have any password manager-related problems, except...
I often opted for generation of a "five word passphrase" like the xkcd recommendation, and I would go back and type in those passphrases, and they seemed almost insultingly accurate. Like if I didn't know any better, my identity or personal attributes were carefully encoded in the passwords themselves.
I am sure I was imagining things, [over-the-top with my tinfoil hats!] but eventually I moved past needing KeePass, and into the native managers offered by Microsoft/Google. Interesting times, for sure.
Correct me if I’m wrong, but doesn’t this mean that up to 77.5% of passwords known to be exactly three words can be cracked using a 30% common-word dictionary subset?