Increasing the entropy of passphrases AND keeping them easy (enough) to remember

Here are some ideas about enhancing Bitwarden’s Passphrase Generator to increase the entropy of passphrases AND make them a bit more resistant to dictionary attacks and any patters that are currently present. I hope that the resulting passphrases are still easy enough to remember for humans.

I have numbered the options for generating passphrases so that options 1 and 2 are the options in the generator at present. I don’t consider the selection of the number of words to be a true “option” because a minimum of 3 is mandatory, but I at least gave it a digit in the list as “0”.

  1. Select the number of words
  2. Current Option: Capitalize
  3. Current Option: Include number
  4. New Option “Add Salt” adds a randomly generated 4 to 6 character hexadecimal value to a passphrase, with randomized (a) ALL UPPERCASE or (b) all lowercase for the alpha digits. The salt is randomly placed among the words in the passphrase.
  5. New Option to capitalize (b) one randomly selected letter in every word, or (c) one single randomly selected letter among all words, or (d) one randomly selected entire word, not just (a) the first letter in each word. Actually, I think it would be fine if this option 4 were just variants of the current Capitalize option.
  6. Enhance the word list to include non-English words; the more obscure the languages the better.

In a demonstration of how these options would work, here are the results from a 4-word passphrase…

  1. No options selected for a 4-word passphrase: depose.revenge.debating.configure
  2. Only option 1 selected: Depose.Revenge.Debating.Configure
  3. Only option 2 selected: depose.revenge.debating.configure1
  4. Both options 1 AND 2 selected: Depose.Revenge.Debating.Configure1
  5. Only New option 3a selected: depose.revenge.debating.A254F5.configure
  6. Only New option 3b selected: depose.revenge.debating.a254f5.configure
  7. Only New option 4b selected: dEpose.reVenge.debatIng.configuRe
  8. Only New option 4c selected: depoSe.revenge.debating.configure
  9. Only New option 4d selected: depose.REVENGE.debating.configure
  10. Options 1 AND 2 AND 3a selected: Depose.Revenge.Debating.A254F5.Configure1
  11. Options 2 AND 3a AND 4a selected: Depose.Revenge.Debating.A254F5.Configure1
  12. Options 2 AND 3a AND 4b selected: depOse.revenGe.dEbating.A254F5.conFigure1
  13. Options 2 AND 3a AND 4c selected: depose.reveNge.debating.A254F5.configure1
  14. Options 2 AND 3a AND 4d selected: depose.REVENGE.debating.A254F5.configure1

It seems that a combination of options 1,2, and 3 or 2, 3, and 4 ensure the greatest number of permutations. I would always include option 2 because option 3 “Add Salt” does not absolutely guarantee the inclusion of numbers in the salt value.

Thoughts, anyone?

@Squyd Welcome to the forum!

Passphrases are not susceptible to dictionary attacks, if the number of words used is sufficient for your application (typically 6–7 words for most applications).

While your suggestions would increase the entropy of the generated passwords, this would be at the expense if making memorization more difficult and less robust. Manually typing passwords that incorporate your suggestions would also become more difficult.

Because passphrases should only be used for credentials that must be committed to memory, manually typed, or communicated verbally, the entropy benefits associated with mangling the passphrase does not typically outweigh the disadvantages resulting from the increased difficulty in memorizing and manually typing the password.

If you are concerned about the entropy of a passphrase, you should just increase the passphrase length by one or two words. This will be more effective than any of the ideas that you have proposed, while making it as easy as possible to memorize and type the passphrase.

1 Like