spiny approval avalanche uncouth tattoo
Are these generated passphrases suitable for use on more sensitive accounts? I'm currently using generated passwords with numbers and symbols (20+ characters) but this can be a bit of a pain when I need to input a password using my TV remote or dictate it to my partner. I don't have a great sense for what's easily crackable so it would be great to get some opinions from those more familiar with the cryptography space.
Password strength / entropy is all about how long would it take an attacker to brute force. Practically, we think about this in terms of S(p) = number of possible tries / tries per second. This yields how long it would take an adversary to crack your password, in the worst case (that your password was the last possible guess.
The set size of all possible characters varies by system. But, typically, we see set sizes up to about 95 (lower case, upper case and special characters). Let's say everyone knows that bitwarden creates passphrases that are all lower case and have spaces. Passphrases use a word set of (let's say) 170,000.
Your (let's assume) 20 character password has a max number of guess of 95^20 whereas bitwarden has a complexity of 170,000 (choose) 5. However, if the adversary didn't know you used bitwarden, the complexity would look more like 95^40. It's obvious that the more an adversary knows about your password, the faster they can guess it.
You can use a site like security(dot)org to determine how long it would take a computer to crack it (they don't really define what "A computer" is). In either case, either password would take longer than the existence of the universe, by far.
On a side note, I'd love to see a "How secure is my password?" that calculate the cloud compute cost of cracking the password, say in a year. It would be cool to know it would take $5,000,000,000,000,000,000... to crack your password in a year.
If an attacker can make unlimited login requests to a service, then longer passwords are always safer than shorter but more complex passwords.
If an attacker has a copy of a service's hashed passwords, the same is also true.
If an attacker is physically looking over your shoulder, a passphrase may be easier to remember than random letters, digits, and symbols.
If an attacker is a nation-state with a quantum computer and an unlimited budget - they'll probably find a different route into your account.
I would say that passwords are rarely "cracked". People tend to either use one of the top 10,000 common passwords, or reuse the same "secure" password on multiple sites. If you are outside of that low-hanging-fruit, why would someone expend resources on you?
As for the use cases of typing into a TV, use the activation link option instead (like myStreamingService.tld/activate and enter the 4-6 character using your laptop's or phone's browser)
When you can't do that, use a simpler passcode (eg an 8 or 10 digit number that's easier to navigate to)
Your Netflix account is not "sensitive" - your bank account is :)
I will not be remembering those passwords anyway so there is no need for them to be human readable.
spiny-approval-avalanche uncouth-tattoo
If Bitwarden default is not safe, the software should not be used.