0

How can I make sure my master password is as strong as possible?

The password manager I'm using is Bit Warden.

Is creating a passphrase a good idea?

I know it's good to include characters, numbers and words in it, and its stronger if it's longer.

What else? Any tips? Thanks!

M.I.A.
  • 1

2 Answers2

1

There are several ways to create a strong master password:

Diceware

Diceware is a simple concept. You take a big wordlist and roll a set number of dice. You then look up the word that corresponds to your dice roll. For example, 21131 can correspond to clock. Repeat this process until you have enough words, such as

flagstick mystic reenacting football pain sightseeing paris

How secure would that be?

A wordlist for 5 dice would be 7776 words (6^5) long. The strength of the diceware password in bits is log_2(w^n), where w is the length of your wordlist (7776) and n is the number of die. By using simple math, we can modify that term to be n * log_2(w). log_2(w) is a fixed number for our wordlist and is roughly 12.9 bits.

That means that for every word you add, you get about 12.9 bits security. This means 6 words give you almost 80 bits of security, and 10 words give you 128 bits of security.

Advantages

One clear advantage of diceware is that the process is purely random. That means any cracking attempt based on human behavior will not be more successful than a pure brute force attack.

Disadvantages

A disadvantage is that not every diceware password is easily memorable. Wordlists contain words that are not very common or even sound like "real" words to non-native speakers (e.g. "cleft", "accra", "gorse", "livre" or "twill"). This makes them potentially hard to remember

Passphrases

Passphrases are simply put very long sentences, that can't easily be guessed. An example for a passphrase would be

Blue Light shines from the small Bunny onto the Lake.

Old advice used to be to take the first letter of every word, but that's very bad. Take the whole sentence. Sure, you'll type for a while, but entering your password twice a day (once in the morning, once after lunch) is not that much of a problem.

Advantages

Sentences can be as memorable as required. The best possible passphrases are ones that can be visualized, but that don't make any semantic sense.

Disadvantages

It's easy to make a bad passphrase. Many people will pick quotes from movies, song lyrics or bible verses, thinking "Nobody would ever think of that". Guess what, I don't need you to tell me how fucking good my coffee is, okay? is not as good as a passphrase as you may imagine.

Passphrases are in general more difficult to get right, whereas diceware guarantees uniform security.

  • Aren't diceware passwords actually a subset of passphrases? I consider them passphrases. – reed Apr 17 '20 at 14:30
  • @reed Yes, but with the added bonus that they are guaranteed to be random. –  Apr 17 '20 at 14:32
0

My tip is to create a long combination of easily rememberable phrases, which in turn creates a strong password.

For example:

myvacation2paris-wasincredible

This would be a strong password, no personal information, it's long, contains numbers and symbols. Make sure this is your strongest password.

  • 2
    It is generally not advisable to construct valid sentences, since it is much easier to guess that way. – multithr3at3d Apr 16 '20 at 13:00
  • @multithr3at3d Depends on what you mean by "valid". You can make a sentence that is grammatically valid and syntactically nonsense, and you'll likely be fine from straight up dictionary attacks (e.g. famous movie quotes), but with the downside that you are vulnerable against markov chain attacks. –  Apr 17 '20 at 14:34