For actual encryption (disk encryption, WiFi) I make sure there's at least 128 bits, and I often find it easier to use the full ASCII there.
For things that are only online brute-forceable or susceptible to hacking anyway I'm okay with 4 words out of a 6709 word dict (50 bits).
2
I remember from a security grad course to use four random word phrases. I think it was something about the entropy between # of characters and # of words. I thought that was pretty interesting. I previously thought random chars were a lot better.
1
1
It's all in the number of combinations. If you're drawing from a 20,000 word dictionary, that's 20,000^5. If you're selecting 12 letters from 95 printable characters, that's 95^12. You can adjust the number of words, and the size of the word list, to produce any equivalent combo
2
1
Yeah, however, an Oxford English dictionary has 170,000 words, so that would be 170,000^5. So bigger than 95^12.
1
2
Some very long words in the OED & I don't know about you but I have trouble spelling some of them reliably
1
2
Yeah, I once tried using a full dictionary and the passwords came out mostly words I didn't even know LOL, I eventually settled on this list github.com/defuse/passgen/bl…
1
1
Wouldn’t (in theory) choosing simple words be as effective as complicated ones? I know it would suck in practice, cause most attackers would use brute force attacks with chars and not words 😅
1
As long as you're choosing from a sufficiently high number of words, and truly choosing randomly - what the words are doesn't matter.
1
That passgen wordlist is 7236 words. Six words from that wordlist would be a sufficient possible number of combinations to resist a lot of hardware trying to attack a very fast hash (like MD5), and would be equivalent to a 12-char random-char password.
wolframalpha.com/input/?i=72…
1
