My workplace has finally gone to passphrases and 1 year password life, which is nice as it’s a password I often need to type, so I’d rather 20 easy to type and memorise chars than 16 random
The missleading thing about passphrases is that anything a human can remember is low entropy. That it has 20 charachers says nothing about how random.
Edit: I also wonder how much randomness is really needed. Properly salted and hashed passwords shoud not need that much randomness. Lot of this is about users just choosing bad passwords, reusing, and IT not properly salting and hashingon their end.
Just compare the number of possibilities. Number of words to the 4th power to 94 to the 15th power. Your corpus would have to be 25 million words. In contrast, there are about 800K words in the english language and about 1000 commonly used words.
My workplace has finally gone to passphrases and 1 year password life, which is nice as it’s a password I often need to type, so I’d rather 20 easy to type and memorise chars than 16 random
The missleading thing about passphrases is that anything a human can remember is low entropy. That it has 20 charachers says nothing about how random.
Edit: I also wonder how much randomness is really needed. Properly salted and hashed passwords shoud not need that much randomness. Lot of this is about users just choosing bad passwords, reusing, and IT not properly salting and hashingon their end.
Are you sure you can’t make a high entropy memorable password?
My scheme pulls four words at random from a large corpus
Just compare the number of possibilities. Number of words to the 4th power to 94 to the 15th power. Your corpus would have to be 25 million words. In contrast, there are about 800K words in the english language and about 1000 commonly used words.