30

E.g. if I were to register for a new website and am prompted for a password, my browser might generate a complicated password that looks like uv^2<YGYy}#Vj}=f which might be impossible to crack but also impossible to remember.

Why such passwords instead of, say, AllThatIsGoldDoesNotGlitterNotAllWhoWanderAreLost which uses fewer characters but is much longer? The sheer length (49 characters) should also make it impossible to crack, but because it's a recognizable phrase it's also much easier to remember.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Allure
  • 499
  • 1
  • 4
  • 6
  • 33
    Sadly most websites I come across still don't treat password length as the ultimate goal and just require numbers, symbols, upper case letters (and in the worst case have a length *limit*) – Brian Leishman Nov 15 '21 at 13:04
  • 36
    `AllThatIsGoldDoesNotGlitterNotAllWhoWanderAreLost` - although this particular example is rather too "recognizable" and is probably easily cracked! – MrWhite Nov 15 '21 at 14:01
  • 6
    Let's say 8 billion humans start writing down random unique sentences. Let's say each human generates 10k sentences per day. Let's say they do this for 200k (~ time since evolution of homo sapiens). Then we would have generated ~10^21.8 < 10^22 unique sentences. This would be ~10 times **less** than 16-character passwords **using only lowercase ASCII** (~10^22.63). So using random sentences from a random book, no matter your selection of books, has tiny entropy compared to pure random characters. – Bakuriu Nov 15 '21 at 20:16
  • 2
    @Bakuriu how is that relevant? I could use your example with random characters and end up with the same amount of unique passwords. You seem to mix the amount of **possible** sentences with the amount of **generated** sentences. – Polygorial Nov 15 '21 at 23:27
  • 1
    @Polygorial it is relevant because the lower the entropy the easiest (theoretically) to find out the password. Higher entropy means more information is required to determine the password. – Gabriel Sandoval Nov 16 '21 at 02:08
  • That only helps you if you know in advance that the password is made of capitalized words. If you don't know that then you still have to choose between trying combinations of capitalized words and every other form a password could take. – Turksarama Nov 16 '21 at 03:17
  • 1
    Sure, a password based on the whole character set is a lot shorter than one made of words with the same entropy--but which one is easier to type? Sometimes you need to. – Loren Pechtel Nov 16 '21 at 04:08
  • @GabrielSandoval the entropy matters, of course. But how many sentences a number of people can make in an amount of time doesn't tell how many passwords are possible using that method, thus says nothing about the entropy. Let's say we have that amount of unique sentences, what stops me from creating a sentence that's not in that list already? – Polygorial Nov 16 '21 at 07:39
  • I created https://phrase.shop to generate secure yet memorable passphrases. Check it out! – Philip Nov 16 '21 at 14:29
  • I use phonetic spelling to translate complicated combinations of letters, numbers, and symbols to phrases for those rare occassions when I need to write a password on a piece of paper (rather than use the system clipboard). If the generator provides "1Il|..." I write down "one INDIA lima pipe". It is also good if I need to pass the password verbally, but outside that context what is the point? – emory Nov 16 '21 at 14:57
  • 4
    Instead of using the words directly, you could use the phrase as a mnemonic for a more traditional password like `at=Au!g!aww=l`. – dan04 Nov 16 '21 at 16:51
  • 8
    For what it's worth, some password managers _do_ use strings of random words for their generated passwords. You shouldn't ever need to _remember_ passphrases stored in your password manager, but they are much easier to type should the need arise. – Ajedi32 Nov 16 '21 at 18:03
  • As has been mentioned, many password managers have options to generate phrased passwords, and also provide parameters for length, adding hyphens, commas etc. They can be amusing as well, for example 1password just generated "stutter hum say fleshy" for me... – Sarah Shelby Nov 17 '21 at 00:23
  • 1
    The intent is that you let the browser remember the password rather than trying to remember it yourself. – James Westman Nov 17 '21 at 01:49
  • 1
    @Polygorial The OP says that the advantage is that you can use a **recognizable** phrase, which, to me, implies a **well known, EXISTING, phrase**. I just wanted to point out that from a cryptographic perspective the number of phrases ever uttered is way too small to be a sufficient random pool, even if we include not recognizable phrases. – Bakuriu Nov 17 '21 at 07:44
  • @Bakuriu I agree on that, and now understand the intent of your original comment :-) – Polygorial Nov 17 '21 at 11:04
  • Also, passwords made out of pure words technically have much less possible combinations per length, you'll rarely (if ever) find "xx", "xz", "rz", "qk" etc.. in english words. With 10 lowercase characters, there's nowhere near 26^10 different combinations – nenadp Nov 17 '21 at 18:03

11 Answers11

72

You say you want the browser to suggest a recognizable (which I take to mean coherent) phrase. Have you thought about how a browser would implement that? The browser cannot keep a long list of such phrases, because for the list to be even remotely secure, it would have to be ridiculously large. If the browser tries to use some sort of AI to create a coherent phrase on the spot, it would have to ensure that the algorithm does not have and does not develop any sort of bias. I'm not sure how hard of a task that is, but it's probably not worth the effort. Pulling the phrase from the internet would also not be acceptable to many people, for obvious reasons.

A more practical alternative would be to generate xkcd style passphrases. However, these will probably not be as memorable as you might want, specially when you have dozens of them, for all the different sites you have accounts on.

The only viable solution in the long run is to rely on password managers. And to a password manager, a complex password is a non-issue. So that's what the browsers do. Suggest complex passwords that have enough entropy to resist all sorts of password guessing attacks. And then save them in the browsers built-in password manager.

nobody
  • 11,341
  • 2
  • 41
  • 60
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/131478/discussion-on-answer-by-nobody-why-are-passwords-generated-by-a-password-generat). – schroeder Nov 16 '21 at 09:16
  • Maybe point out that once you add in a password manager, maximizing entropy using every trick available only has advantages, and very few disadvantages. – Aron Nov 16 '21 at 17:41
  • 1
    I think would be worth mention the DiceWare method and generators like this one https://diceware.dmuth.org/ – frikinside Nov 17 '21 at 23:05
46

If we are talking about passwords generated by a password generator, the password:

  • needs to be generally applicable to any site, which means it should generate a password that would comply with most password complexity rules (a-zA-Z0-9!@#$%^&*())
  • does not need to be memorable, since the password manager will remember it for you
  • needs to be random enough not to be guessable

When suggesting a password approach to a person, then, yes, a phrase provides length while providing an increased chance of remembering it.

However, you introduce numerous problems when suggesting a specific phrase for someone else as a service to everyone (as is the case in a password manager):

  • what might be memorable for one person might not be memorable for another
  • not everyone speaks the same language or has the same level of literacy in a language
  • if you choose phrases from a specific source (like cliches or book quotes, like you used), then you make even a long password guessable once that source is known

A truly randomly generated string with a broad character space to pull from provides a less guessable password, even if everyone knows that that is how it is generated. And since the password manager remembers and enters it for you, it does not need to be memorable or easy to type.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 10
    Some (many?) sites have maximum lengths, and you can fit more entropy in the allowed length with random characters than you can with random words. – stannius Nov 15 '21 at 16:10
  • 10
    This isn't necessarily a problem unique to this question, but the "symbols" requirements are usually contradictory between sites. What one site requires, another site forbids. – jrh Nov 15 '21 at 18:20
  • 3
    It would be interesting, @jrh to study how many passwords end in `!` because a "special" character is required... – FreeMan Nov 16 '21 at 12:33
  • 5
    @FreeMan those studies have been done. it's a very high percentage. Also ending in numbers starting at `1` – schroeder Nov 16 '21 at 12:37
  • 1
    @FreeMan it would seem to me that sites choose nearly at random what special characters to support and not to support, some don't allow spaces, some don't allow `_`, some don't allow samples from ``!@#$%^&*()[]{}<>:;,.'"/?`~=+\|`` which I would think would be the **bare minimum** for any site supporting English, let alone passwords. And yet even the old `A-Z,a-z,0-9,_,-` isn't a sure thing. I bet it's much worse for non-English speakers or cultures that operate entirely outside of the ASCII character set. I hope Japanese speakers don't have to learn the English alphabet just for this... – jrh Nov 16 '21 at 21:25
  • @schroeder is there a link for those studies. I even couldn't download the pwned passwords without their SHA-1. How did they performed it? – kelalaka Nov 16 '21 at 22:20
17

Recognizable phrases tend to have low entropy, so dictionary attacks against them would work the same way they work against recognizable passwords.

But a very similar approach has been implemented in Diceware. Initially that was just a word list containg 6**5=7776 easily pronouncable words. Next to each was a five-digit number, and you would roll a dice 5 times and look up the corresponding word. That provides about 13 bits entropy per word, so a 5 or 6 word phrase would be good enough for most applications.

Diceware never really caught on, and i think for the reasons schroeder lists in his answer. In particular, sites have mandated password complexity rules that prioritize the use of special characters over actual randomness. Most of these consider Pre$iden! a good password, but reject SymptomUndertookSubprimeSelectorNuzzleReveal, although the former is no problem for dictionary attacks, and the latter has 77 bits of entropy.

wallenborn
  • 556
  • 3
  • 4
  • Diceware + leetspeak works pretty well for passwords I have to type in non-browser applications: `$ympt0m Undert00k...` – Karl Bielefeldt Nov 15 '21 at 14:05
  • 1
    `for i in {1..10}; do diceware -n 4 --delim \; ; done` – Ross Presser Nov 15 '21 at 15:21
  • Quantitatively supporting your point, one estimate of the entropy of English sentences is less than 1.75 bits per letter: https://www.ling.upenn.edu/courses/cogs502/BrownEtAl.pdf. So a randomly generated (not quoting a book) English sentence that's 49 letters long has an entropy less than 85.75 bits. By my count, there are 16 printable ASCII characters, so if you generate thouse from a uniform distribution, your entropy is log2(96)=6.57 bits per letter. 16 characters of that has an entropy of 105 bits. 2^(105-85.75)=623487, so that's over 600 thousand times better. – Jetpack Nov 16 '21 at 05:20
  • @Jetpack I suppose you meant 96 printable ASCII characters rather than 16. I'm pretty sure quite a few of those are not universally usable, though, including space, DEL (0x7f), and in some cases things like `<>&'. Some are even more restrictive in what "symbols" they accept. But the order of magnitude is probably the same. – jcaron Nov 16 '21 at 10:48
  • @jcaron, actually I meant 95. log2(95)=6.57. You make a good point that the actual useful alphabet size is somewhat smaller than that on a lot of sites. – Jetpack Nov 16 '21 at 15:22
  • Leetspeak works well for complying with password requirements, but does very little to actually increase entropy. – Mark Booth Nov 17 '21 at 14:43
10

I would like to question your assumptions.

the sheer length (49 characters) should also make it impossible to crack, but because it's a recognizable phrase it's also much easier to remember.

  • A long password does not make it impossible to crack.

    A long random password is hard to crack, but a long password from a short list is easy to crack as soon as the list is known. Note that in your example you use a pass phrase which is an actual known sentence, not even a random list of words, so the list will nearly necessarily be short, especially if you want sentences that are highly rememberable (famous quotes and the like).

    If you remove the requirement for the pass phrase to actually make sense/be highly memorable, being a random combination of words from a large dictionary (like the famous correct horse battery staple), then it does indeed become hard to crack. That's the principle of diceware.

    This is a common error: there is no entropy in a password. There is entropy in the way a password is generated. abcdef does not have an entropy of 6*log2(26) bits. A password-generation tool which generates a random 6-lowercase-letter password provides 6*log2(26) bits of entropy.

    Likewise, AllThatIsGoldDoesNotGlitterNotAllWhoWanderAreLost does not have 49*log2(52) bits of entropy if the attacker is able to determine how if was generated (and then it has log2(number of phrases in the tool) bits of entropy).

  • Is that password really easy to memorise?

    If you were generating a single password for use everywhere, possibly, but that is now known to be a very bad idea. If the browser generates a hundred such phrases for the hundred sites you create accounts on, will you really remember each one of them? That’s the whole reason we now use password managers which will not only create but most importantly remember all those passwords for you.

So the premise is flawed. In addition you have to face issues with sites having limited length for passwords, sites which require multiples classes of characters (lower, upper, digits, symbols), which makes most sentences unusable.

jcaron
  • 3,565
  • 2
  • 16
  • 23
  • 8
    On the 2nd point, it's worth pointing out the benefit of a hybrid approach. Personally I use a password manager but I also have a few diceware generated passwords for low-value sites that I may frequently want to access without my password manager (e.g. when on someone else's machine). In particular, it is sensible to memorise the password for your email account since you can use that in an emergency to reset a lot of other passwords. Depending 100% on your password manager is itself a security risk as it is a single point of failure. – Jon Bentley Nov 16 '21 at 10:41
10

Don't be “clever”. An obscure reference you come up with could be less obscure than you think. For example, your offered passphrase is a quote from JRR Tolkien's The Fellowship of the Ring and is therefore not strong enough (a persistent and well-informed attacker will crack that in days at the longest). Don't hide behind perceived obscurity; passphrases are just like passcodes: they need to be random. You wouldn't have a passcode of abcdef123 or 1qaz2wsx (look at a qwerty keyboard), would you?

If a Google query for your password (quoted & de-0bfuscated) might get hits, it is weak.
(This does not mean that a lack of Google hits denotes a strong password.)

Use a password generator. Many pw generators have an option for pass phrases. For example, I just opened Bitwarden and generated nerd-shifting-porous-naming-dictation as a password.

Password managers remove the need for memorable passwords. Assuming a dictionary size of 100k words, a five-word passphrase has an entropy of log₂(100,000⁵) = 83. That's pretty good, but for 37 characters of fully random ASCII printable characters, log₂(94³⁷) = 242. You might as well go with the stronger one.

Passphrases don't satisfy complexity requirements most of the time. Most passphrases don't contain the necessary capital letter, number, and symbol. Password generators ensure there's at least one of each of those when they make a code but not when they make a phrase.

Maximum password lengths are incompatible with passphrases. Also be aware that some systems have an unreasonably short length limit on passwords—for no valid reason (I understand limits like 128 characters, I am stymied by limits like 12). If you're limited to even 20 characters, a passphrase won't provide much security.

Adam Katz
  • 10,418
  • 2
  • 22
  • 48
  • 2
    *a persistent and well-informed attacker will crack that in days at the longest* How would the attacker know I have taken a quote from Lord of the Rings? A priori, it could be anything. – Allure Nov 15 '21 at 23:40
  • 2
    By including a list of quotes in its brute force dictionary. A thorough attacker would also supplement their dictionary with every ~word found on your computer. Attackers can check _billions_ of passwords —per node— a second, so an archive of tens of billions of quotes doesn't really cost much to throw into the brute force attempt. – Adam Katz Nov 15 '21 at 23:47
6

A couple reasons come to mind,

  • Locale

For a non native english speaker, a long english string may look dissimilar to the shorter random assortment but now they have to find a way to enter or store this longer string that is just as confusing as the alternative

  • Appearance of security

To a non-tech savvy person, the assortment would appear more secure since its harder to remember and their most likely form of attack would be an over the shoulder attack.

Sayse
  • 161
  • 2
6

The other answers have mostly answered the question. However, there is one reason that is missing from all of them: Most websites set a very low limit on the password's length. Length restrictions of 12, 16, or 30 characters are common.

In my experience, banks are particularly guilty of this, sometimes even limiting the password's length to 8 characters. The German bank group Sparkasse even used to have a 5 characters password length limit (yes, that was the upper bound, not the lower bound).

With length restrictions this low being commonplace, passphrases are not really feasible because you cannot fit more than 5 or so words. In the case of one particularly bad banking group, you might not even be able to fit the first word that comes to your mind.

Even if websites allow longer passwords, I have experienced two problems with long passwords on several websites (I'm still storing passphrases in my password manager so I cannot just have mistyped/misremembered these passphrases):

  • Some websites allow you to set a long password but then don't allow you to log in.
  • Some websites allow you to use a long password and it works fine for several months but then they make a change to their system that causes logins with a long password to fail.

Password generator try to get as close to a one-size-fits-all solution as possible. This means that the passwords generated cannot be particularly long or the user is going to be frustrated when the suggested password ends up not being accepted by the website.

UTF-8
  • 2,330
  • 1
  • 10
  • 24
  • 3
    I despite sites that do this. – Shadow Nov 16 '21 at 04:01
  • 3
    To add to your examples, one site I use gives the *appearance* of accepting my long password. After years of use, I accidentally logged in without typing the last charracter and it worked. A bit of experimenting revealed that both the registration page and login page were truncating the last few characters without showing any sign of doing so on the UI. – Jon Bentley Nov 16 '21 at 10:52
  • 2
    I can confirm what @JonBentley said. In fact, it fits my examples quite well because Sparkasse actually did this for some time before finally accepting passwords that are a bit longer than 5 characters. If you had chosen "armor ten vintage below lunch age business habit just clarify vintage" as your password, your password in fact would only have been "armor" which could easily be guessed whereas the password you actually chose would've been almost impossible to guess. – UTF-8 Nov 16 '21 at 14:07
4

Password generators can already do this, yours is just not very good. Keepass has had a passphrase function for ages:

enter image description here

Many other password generators have also supported passphrases for a long time now, it's not exactly a new idea. Apparently only your browser's developer didn't get the memo, probably because they expect that people who are knowledgeable enough to care about such things would use a dedicated password manager anyway, instead of relying on the browser's built-in feature.

One practical problem with passphrases is that many authentication systems require you to include numbers and symbols in your passwords, and sometimes have very short maximum lengths (16-32 chars).

The sheer length (49 characters) should also make it impossible to crack

This is only true if hackers are aliens from Mars who have never been on the internet. It's common knowledge by now that people use passphrases. If someone were to brute force your password, they can just try combinations of words.

Notice how keepass in the example above takes this into account and reports only 129 bits, which is similar to the strength of a much shorter password made up of 22 random characters.

Artimithe55
  • 229
  • 1
  • 7
3

To answer your main question of why they suggest a mix of letters and numbers is because it's much easier to program a password generator that is great at spitting out random characters rather than complex word phrases that never repeat. Also the likelihood of another person using the random characters in the same sequence is almost impossible after a certain amount of characters.

The benefit of you using phrases is that they are somewhat memorable and you can make them unique to your situation or platform.

The biggest thing that is at play here is brute force vs targeted attacks. If someone is targeting you then you have to be very careful how you create your passwords because you can't show any patterns. This applies to breaches. As a target you never want to use the same format that you used in a breach or discovery.

Bonus info; Cryptocurrency wallets are relying on 12 step keyword phrases to secure your wallet and account which goes to show that phrases are a great solution if you can keep those phrases truly secure.

  • 3
    `shuf -n 2 adjectives.txt; shuf -n 1 nouns.txt; shuf -n 1 verbs.txt; shuf -n 1 adverbs.txt` -- there you go, a passphrase generator that's great at spitting out complex word phrases that never repeat. How about "mixed financial buyer portrays seriously" as your next passphrase? Or perhaps "medical everyday shock engages relatively"? – Mark Nov 15 '21 at 21:47
1

The code generating random-character password is short, simple and comprehensible. It does not depend on external data or libraries. A good start when you try to make it secure.

A code that is expected to generate phrases will be more complex, will require access to an external dictionary database (and probably even a grammar rules database). Quite a few points of failure one cannot control to an acceptable extent:

  1. The common dictionary databases were never meant to be used in security-related context in the first place. It is maintained with different goals in mind and different level of supply-chain management, by different kind of people.

How about tampering with the dictionary and supplying much less words when accessed with particular settings?

I am not even going to open the can of worms that the grammar rules are.

  1. File/database access when generating a phrase. A whole lot of a dependency stack in itself. Well, those things are usually intended to be secure, but they quickly add complexity. Like, e.g. memory management.

  2. The phrase will get long and of variable length, requiring different memory management in itself. Prone to errors.

etc, etc...

fraxinus
  • 3,458
  • 6
  • 20
-2

One reason mentioned a few times throughout the comments but (seemingly) not explicitly addressed yet is the requirements. Specifically, that requiring short passwords including a mix of all kinds of characters is nonsensical from the security perspective as it actually reduces entropy... But it has caught on specifically because of its social impact. Soon as you move on to phrases for passwords, two things will happen: any attack on the password generating software has a potential to become a money printing machine because the entropy will end up being quite low. All in all, this is an attempt at security by obscurity: as opposed to being forced to find the exact password, an attacker would feasibly get a lot of passwords crackable by finding just a few weak points. Second, you'll end up having a good 30% of your users having GodBlessAmerica or something for a password: current security enforcement rules are often dumb, but they do serve a purpose, after all.

Lodinn
  • 143
  • 3
  • 1
    The question is not about password requirements, but about passwords ***generated*** by password generators. And your premise and conclusions are factually incorrect. – schroeder Nov 16 '21 at 15:52
  • @schroeder what good are password generators if they generate passwords one would not be able to use? Second, care to provide sources for the "factually incorrect" bit? – Lodinn Nov 17 '21 at 17:03