Hubbry Logo
PassphrasePassphraseMain
Open search
Passphrase
Community hub
Passphrase
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Passphrase
Passphrase
Passphrase
View on Wikipedia
from Wikipedia

Passphrase generator in Bitwarden

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control both access to, and the operation of, cryptographic programs and systems, especially those that derive an encryption key from a passphrase. The origin of the term is by analogy with password. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.[1]

Security

[edit]

Source:[2]

Considering that the entropy of written English is less than 1.1 bits per character,[3] passphrases can be relatively weak. NIST has estimated that the 23-character passphrase "IamtheCapitanofthePina4" contains a 45-bit strength. The equation employed here is:[4]

4 bits (1st character) + 14 bits (characters 2–8) + 18 bits (characters 9–20) + 3 bits (characters 21–23) + 6 bits (bonus for upper case, lower case, and alphanumeric) = 45 bits

(This calculation does not take into account that this is a well-known quote from the operetta H.M.S. Pinafore. An MD5 hash of this passphrase can be cracked in 4 seconds using crackstation.net, indicating that the phrase is found in password cracking databases.)

Using this guideline, to achieve the 80-bit strength recommended for high security (non-military) by NIST, a passphrase would need to be 58 characters long, assuming a composition that includes uppercase and alphanumeric.

There is room for debate regarding the applicability of this equation, depending on the number of bits of entropy assigned. For example, the characters in five-letter words each contain 2.3 bits of entropy, which would mean only a 35-character passphrase is necessary to achieve 80 bit strength.[5]

If the words or components of a passphrase may be found in a language dictionary—especially one available as electronic input to a software program—the passphrase is rendered more vulnerable to dictionary attack. This is a particular issue if the entire phrase can be found in a book of quotations or phrase compilations. However, the required effort (in time and cost) can be made impracticably high if there are enough words in the passphrase and if they are randomly chosen and ordered in the passphrase. The number of combinations which would have to be tested under sufficient conditions make a dictionary attack so difficult as to be infeasible. These are difficult conditions to meet, and selecting at least one word that cannot be found in any dictionary significantly increases passphrase strength.

If passphrases are chosen by humans, they are usually biased by the frequency of particular words in natural language. In the case of four word phrases, actual entropy rarely exceeds 30 bits. On the other hand, user-selected passwords tend to be much weaker than that, and encouraging users to use even 2-word passphrases may be able to raise entropy from below 10 bits to over 20 bits.[6]

For example, the widely used cryptography standard OpenPGP requires that a user make up a passphrase that must be entered whenever decrypting or signing messages. Internet services like Hushmail provide free encrypted e-mail or file sharing services, but the security present depends almost entirely on the quality of the chosen passphrase.

Compared to passwords

[edit]

Passphrases differ from passwords. A password is usually short—six to ten characters. Such passwords may be adequate for various applications if frequently changed, chosen using an appropriate policy, not found in dictionaries, sufficiently random, and/or if the system prevents online guessing, etc.[citation needed], such as:

  • Logging onto computer systems
  • Negotiating keys in an interactive setting such as using password-authenticated key agreement
  • Enabling a smart-card or PIN for an ATM card where the password data (hopefully) cannot be extracted

But passwords are typically not safe to use as keys for standalone security systems such as encryption systems that expose data to enable offline password guessing by an attacker.[7] Passphrases are theoretically stronger, and so should make a better choice in these cases. First, they usually are and always should be much longer—20 to 30 characters or more is typical—making some kinds of brute force attacks entirely impractical. Second, if well chosen, they will not be found in any phrase or quote dictionary, so such dictionary attacks will be almost impossible. Third, they can be structured to be more easily memorable than passwords without being written down, reducing the risk of hardcopy theft. However, if a passphrase is not protected appropriately by the authenticator and the clear-text passphrase is revealed its use is no better than other passwords. For this reason it is recommended that passphrases not be reused across different or unique sites and services.

In 2012, two Cambridge University researchers analyzed passphrases from the Amazon PayPhrase system and found that a significant percentage are easy to guess due to common cultural references such as movie names and sports teams, losing much of the potential of using long passwords.[8]

When used in cryptography, commonly the passphrase protects a long machine generated key, and the key protects the data. The key is so long a brute force attack directly on the data is impossible. A key derivation function is used, involving many thousands of iterations (salted & hashed), to slow down password cracking attacks.

Passphrases selection

[edit]

Typical advice about choosing a passphrase includes suggestions that it should be:[9]

  • Long enough to be hard to guess
  • Not a famous quotation from literature, holy books, et cetera
  • Hard to guess by intuition—even by someone who knows the user well
  • Easy to remember and type accurately
  • For better security, any easily memorable encoding at the user's own level can be applied.
  • Not reused between sites, applications and other different sources

Example methods

[edit]

One method to create a strong passphrase is to use dice to select words at random from a long list, a technique often referred to as diceware. While such a collection of words might appear to violate the "not from any dictionary" rule, the security is based entirely on the large number of possible ways to choose from the list of words and not from any secrecy about the words themselves. For example, if there are 7776 words in the list and six words are chosen randomly, then there are 7,7766 = 221,073,919,720,733,357,899,776 combinations, providing about 78 bits of entropy. (The number 7776 was chosen to allow words to be selected by throwing five dice. 7776 = 65) Random word sequences may then be memorized using techniques such as the memory palace.

Another is to choose two phrases, turn one into an acronym, and include it in the second, making the final passphrase. For instance, using two English language typing exercises, we have the following. The quick brown fox jumps over the lazy dog, becomes tqbfjotld. Including it in, Now is the time for all good men to come to the aid of their country, might produce, Now is the time for all good tqbfjotld to come to the aid of their country as the passphrase.

There are several points to note here, all relating to why this example passphrase is not a good one.

  • It has appeared in public and so should be avoided by everyone.
  • It is long (which is a considerable virtue in theory) and requires a good typist as typing errors are much more likely for extended phrases.
  • Individuals and organizations serious about cracking computer security have compiled lists of passwords derived in this manner from the most common quotations, song lyrics, and so on.

The PGP Passphrase FAQ[10] suggests a procedure that attempts a better balance between theoretical security and practicality than this example. All procedures for picking a passphrase involve a tradeoff between security and ease of use; security should be at least "adequate" while not "too seriously" annoying users. Both criteria should be evaluated to match particular situations.

Another supplementary approach to frustrating brute-force attacks is to derive the key from the passphrase using a deliberately slow hash function, such as PBKDF2 as described in RFC 2898.

Main article: Key stretching

Windows support

[edit]

If backward compatibility with Microsoft LAN Manager is not needed, in versions of Windows NT (including Windows 2000, Windows XP and later), a passphrase can be used as a substitute for a Windows password. If the passphrase is longer than 14 characters, this will also avoid the generation of a very weak LM hash.

Unix support

[edit]

In recent versions of Unix-like operating systems such as Linux, OpenBSD, NetBSD, Solaris and FreeBSD, up to 255-character passphrases can be used.[citation needed]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Passphrase

View on Grokipedia
from Grokipedia
A passphrase is a sequence of words, phrases, or other text elements used to authenticate a user's identity or access to a computer system, program, or data, functioning as a memorized secret in processes. Unlike traditional passwords, which are often short strings of mixed characters, passphrases derive their strength primarily from length, typically comprising multiple words to create a longer that is easier for humans to remember while resisting brute-force attacks. They are employed in various contexts, including single-factor at low assurance levels and as components of for higher requirements. The modern concept of the passphrase was introduced by Sigmund N. Porter in 1982, who proposed it as an extension to conventional passwords to improve both and by leveraging longer, meaningful sequences hashed into keys. Porter's approach emphasized that passphrases could expand the effective keyspace—up to 64 bits or more—while remaining memorable due to their linguistic structure, addressing the limitations of short, complex passwords that users often forget or write down insecurely. This innovation gained traction in cryptographic applications, such as (PGP) software, where passphrases protect private keys, and has since become a standard recommendation in cybersecurity guidelines. Passphrases offer significant security advantages over shorter passwords, primarily through increased from length, making them more resistant to attacks, offline cracking, and . Authoritative sources like the National Institute of Standards and Technology (NIST) recommend minimum lengths of 8 characters for multi-factor scenarios and 15 for single-factor use, with support for up to 64 characters to encourage robust passphrases without composition rules that complicate memorization. Similarly, the Canadian Centre for Cyber Security advocates passphrases as preferable to random-character passwords, noting their ease of recall when based on personal or random word combinations, while the U.S. (CISA) and (FBI) stress using passphrases exceeding 15 characters to enhance protection against automated guessing. Best practices include avoiding common phrases, incorporating numbers or symbols if permitted, and checking against blocklists of compromised credentials to mitigate risks.

Fundamentals

Definition

A passphrase is a memorized secret consisting of a sequence of words or other text used by a claimant to authenticate their identity. Unlike shorter credentials, it is designed to be longer for improved security while remaining easier to remember through natural language patterns. Key characteristics of a passphrase include its typical length of 20 or more characters, often achieved by combining multiple words separated by spaces, though it may also incorporate symbols or random strings. Its primary uses are in access control for computing systems and as input for cryptographic key derivation processes. For instance, a simple passphrase might be structured as "correct horse battery staple," illustrating a space-delimited sequence of common words. In distinction from traditional passwords, which are usually compact strings of mixed characters without inherent meaning, passphrases leverage familiar words to enhance user recall without sacrificing overall strength. This approach prioritizes length over complexity for purposes.

History

The modern concept of a passphrase, defined as a sequence of words or other text used for authentication, originated with N. Porter's 1982 proposal to extend traditional passwords by employing memorable phrases of multiple words, aiming to balance security and in computer systems. Porter's work, published in Computers & Security, emphasized that such extensions could reduce user errors while maintaining resistance to guessing attacks, laying the groundwork for longer, phrase-based authenticators. In the late 1980s and early 1990s, passphrases gained traction through their integration into practical systems. The one-time password system, developed by Bellcore researcher Neil M. Haller and colleagues, adopted passphrases as seeds to generate disposable authentication tokens, with initial implementations appearing for operating systems around 1989 and formalized in RFC 1760 in 1995. Concurrently, the release of (PGP) in 1991 by introduced passphrases to protect private keys in , marking an early cryptographic standard where users derived symmetric keys from memorable phrases to secure asymmetric keypairs. These developments facilitated passphrase use in remote access and protocols during the 1990s. Key milestones further advanced passphrase methodologies. In 1995, Arnold G. Reinhold introduced , a technique for generating passphrases by randomly selecting words from a 7,776-word list using dice rolls, providing approximately 12.9 bits of per word to create secure yet recallable sequences. The National Institute of Standards and Technology (NIST) later evolved its guidelines, with the initial Special Publication 800-63B in 2017 recommending memorized secrets of at least eight characters (up to 64) over complex short passwords, prioritizing length for resistance to brute-force attacks; this was revised in 2020 and further updated in SP 800-63-4 (2025), which requires a minimum of 15 characters for single-factor authentication while permitting up to 64 characters. Post-2000, passphrases rose in popularity amid escalating password cracking threats from advancing computational power and widespread data breaches, as evidenced by significant growth in reported incidents from 136 in 2005 to 662 annually by 2010, prompting broader adoption in security recommendations to counter dictionary and offline attacks.

Security Aspects

Entropy and Strength

The security of a passphrase is fundamentally determined by its entropy, a measure from information theory that quantifies the uncertainty or randomness in the string, expressed in bits; higher entropy corresponds to greater resistance against brute-force and guessing attacks. For passphrases constructed as sequences of L independent words selected uniformly from a dictionary of size N, the total entropy H is calculated as H = L \times \log_2(N), assuming no dependencies between words. This formula provides an upper bound on strength when words are chosen randomly, as in methods like Diceware, where a standard wordlist of 7776 entries yields approximately 12.9 bits per word. In contrast, passphrases exhibit much lower due to linguistic predictability. Claude Shannon's seminal analysis of printed English estimated the per-character at approximately 1 bit, with refined bounds placing it between 0.6 and 1.3 bits per character when accounting for contextual dependencies over several letters. User-chosen passphrases, often resembling sentences or common phrases, thus inherit this low density, making even long strings vulnerable unless randomness is introduced. Estimating for such user-chosen passphrases remains challenging, as noted by the National Institute of Standards and Technology (NIST). Current NIST guidelines in SP 800-63B recommend minimum lengths of 15 characters for single-factor memorized secrets used in cryptographic authentication at Assurance Level 2 (AAL2) and 8 characters when part of , with support for up to 64 characters or more and no required composition rules to simplify creation while ensuring strength through length and rejection of common passwords via blocklists. Common phrases remain susceptible to dictionary attacks, where attackers exploit frequency lists of popular word combinations to reduce the effective search space dramatically—potentially cracking a predictable 4-word passphrase in far fewer trials than its nominal suggests. Mitigation relies on introducing , such as selecting uncommon words or using automated generators from large, diverse word pools, to approach the H = L \times \log_2(N). Key factors influencing passphrase strength include word length (longer words increase per-word via larger character pools), uniqueness (avoiding overused words to evade targeted attacks), and the absence of patterns (such as sequential or thematic sequences that reduce effective ). These elements collectively ensure that the passphrase's translates to practical security, prioritizing uniform selection over memorable but predictable structures.

Comparison to Passwords

Passphrases typically consist of 20-30 or more characters formed by concatenating multiple words or phrases, in contrast to traditional passwords, which are often limited to 6-10 characters comprising a mix of letters, numbers, and symbols. This extended length provides passphrases with significantly greater resistance to brute-force attacks, as the search space expands exponentially with each additional character, making exhaustive cracking computationally infeasible within practical timeframes. In terms of memorability, passphrases leverage human linguistic patterns by using sequences of meaningful words, such as "correct horse battery staple," which are far easier for users to recall over time compared to the random, non-semantic strings required for strong passwords like "K9p#mX2$vQ." This approach reduces and the need for frequent resets, thereby improving overall user compliance with security policies. However, passphrases are not inherently secure if poorly chosen; predictable selections, such as famous movie quotes or common idioms like "may the force be with you," can be as vulnerable to dictionary-based attacks as weak passwords, underscoring the importance of avoiding obvious or easily guessable content. In cryptographic applications, passphrases are often employed in key derivation functions like to generate robust encryption keys from user input, benefiting from their to enhance resistance against offline attacks, whereas shorter passwords may rely on direct hashing methods that are more susceptible if the hash is compromised.

Creation and Management

Selection Best Practices

Selecting a strong passphrase involves prioritizing , , and resistance to common guessing techniques to enhance while maintaining . Experts recommend aiming for a minimum of 15 characters for single-factor , as longer passphrases significantly increase resistance to brute-force and attacks by expanding the possible character . per account is essential; reusing passphrases across multiple services amplifies risks if one is compromised, potentially leading to widespread unauthorized access. Additionally, avoid basing passphrases on famous quotes, song lyrics, or publicly known phrases, as these are easily guessable through targeted attacks exploiting cultural knowledge. To ensure memorability without sacrificing strength, users can draw on personal associations, such as transforming a private or inside into a sequence of words, while modifying common phrases by substituting or reordering elements to obscure predictability. Incorporating numbers or symbols sparingly—such as replacing a letter in a word—can add variety if needed, but over-reliance on them often reduces recall without proportionally boosting . These strategies leverage human patterns, like or visualization, to create passphrases that are intuitive yet non-obvious to outsiders. Common pitfalls in passphrase selection include using standalone dictionary words, which are vulnerable to dictionary attacks that systematically test likely terms from language corpora. Sequential patterns, such as "1234" or alphabetical runs like "abcd," provide negligible and are among the first targets in automated cracking attempts. Drawing from personal information shared on , like pet names or birthdates, further exposes passphrases to social exploits where attackers piece together details from public profiles. Standards such as NIST Special Publication 800-63B emphasize length over arbitrary composition rules, advising against requirements for uppercase letters, numbers, or symbols that complicate memorization without clear benefits. Instead, verifiers should support passphrases up to at least 64 characters, including spaces, and screen new selections against lists of compromised or common passwords to prevent weak choices. This approach shifts focus from forced complexity to user-friendly, length-based security that discourages predictable selections. Effective management of passphrases includes using reputable password managers to generate, store, and autofill unique passphrases for each account, reducing the burden of memorization while enhancing security. NIST advises against routine periodic changes unless a breach is suspected, as frequent updates often lead to weaker choices.

Generation Methods

One prominent manual method for generating passphrases is the technique, developed by Arnold Reinhold in 1995. This approach involves using five rolls of a standard six-sided die to produce a five-digit number ranging from 11111 to 66666, which corresponds to one of 7,776 unique words in a predefined list. By repeating this process for multiple words—typically six—a passphrase is formed, such as "zany quantum lure goblin rift," providing approximately 77.4 bits of . The method emphasizes physical dice rolls to ensure true randomness, avoiding computer-based pseudorandom generators that may be predictable. Another technique relies on acronyms derived from memorable sentences or phrases to create passphrases. Users select a personal or meaningful sentence, then form the passphrase by taking the first letter of each word and optionally substituting numbers or symbols for added complexity. For instance, the sentence "My dog is five years old" could yield "MdI5yo!" where "five" is abbreviated numerically. This method leverages human memory for sentences while producing a string resistant to common attacks, though care must be taken to avoid publicly known examples that could reduce uniqueness. Random word combinations represent a broader algorithmic approach to passphrase generation, popularized by the 2011 comic illustrating the phrase "correct horse battery staple" as a secure yet memorable option. This involves selecting unrelated words from a large via a secure random number generator, often four or more words to balance length and recall. The comic's example highlighted how such multi-word sequences outperform short, complex passwords in per character, influencing subsequent tools and recommendations. Open-source tools facilitate algorithmic generation of passphrases through software interfaces. The provides a Diceware-inspired online generator using their 7,776-word list, allowing users to simulate dice rolls digitally while maintaining entropy standards. Similarly, Bitwarden's open-source includes a passphrase option that combines random words from curated lists, integrated within its browser extensions and apps for seamless creation and storage. These tools prioritize cryptographic randomness, often sourced from system pools, to produce unique passphrases without manual effort.

Implementation and Support

Operating Systems

Microsoft Windows has supported passphrases for user authentication since the Windows NT era, with the NTLM hashing mechanism allowing for Unicode strings up to 128 characters internally, though the logon interface traditionally limited input to 127 characters. Passphrases longer than 14 characters mitigate vulnerabilities associated with the legacy LAN Manager (LM) hash, as Windows does not compute or store an LM hash for such lengths, rendering it unusable for authentication and reducing exposure to attacks that exploit LM's weaknesses, such as case insensitivity and truncation to 14 characters. In Windows 10 and 11, credential providers have been enhanced to accommodate longer passphrase inputs, supporting up to 255 characters in modern configurations, particularly for features like Local Administrator Password Solution (LAPS) which explicitly enable passphrase generation and storage. To enforce extended lengths beyond the default 14-character policy limit, administrators can enable the "RelaxMinimumPasswordLengthLimits" registry setting under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, allowing minimum lengths up to 255 characters via Group Policy or direct registry modification. Unix-like operating systems, including modern distributions, , and macOS, provide robust native support for passphrases through the Pluggable Authentication Modules (PAM) framework, permitting lengths up to 255 characters in shadow password files (or equivalent in macOS Open Directory) and processes. This represents a significant from early Unix systems, which were constrained to an 8-character limit due to the original DES-based crypt algorithm that truncated longer inputs. In contemporary implementations, such as those using pam_unix, the effective maximum is governed by PAM_MAX_RESP_SIZE (512 bytes), but practical limits align with 255 characters to ensure compatibility across modules like pam_pwquality for quality checks. and macOS similarly support extended passphrases via PAM, with modules like pam_passwdqc defaulting to a 40-character maximum for policy enforcement but allowing up to 128 characters or more in underlying storage without inherent restrictions. Configuration for passphrase lengths in systems is typically managed through files like /etc/login.defs in , where PASS_MIN_LEN sets the minimum (default 5), while maximum lengths are controlled via PAM modules such as pam_pwquality in /etc/pam.d configurations or /etc/security/pwquality.conf, enabling administrators to specify minlen and maxlen values without needing legacy workarounds. For instance, setting "minlen = 14" in pwquality.conf enforces longer passphrases system-wide during password changes. In , similar adjustments occur in /etc/pam.d/system or login.conf, where local policies can relax or extend defaults to support modern security practices. In macOS, passphrase policies are managed via Open Directory and can be configured through Directory Utility or command-line tools like pwpolicy to enforce minimum lengths up to 255 characters. Despite these advancements, limitations persist in mixed environments involving legacy systems, where long passphrases may cause compatibility issues; for example, older Windows components or Unix variants relying on or DES crypt can fail authentication or truncate inputs, necessitating fallback to shorter lengths or protocol upgrades to avoid failures.

Cryptographic Applications

Passphrases play a central role in cryptographic key derivation, where they serve as input to specialized functions that transform human-readable strings into cryptographically secure keys. The algorithm, standardized in RFC 2898, uses the passphrase along with a salt to iteratively apply a pseudorandom function, such as HMAC-SHA256, producing a fixed-length key resistant to brute-force attacks through computational cost. This method is widely adopted for deriving symmetric keys in protocols requiring passphrase-based . Similarly, , selected as the winner of the 2015 for its resistance to side-channel and parallel hardware attacks, derives keys from passphrases by emphasizing memory usage alongside time and space costs, making it suitable for securing sensitive data in modern systems. In open-source cryptographic standards like OpenPGP, as defined in RFC 4880, passphrases are used to generate symmetric keys that encrypt private keys or message data, ensuring that even if the encrypted file is compromised, the passphrase protects access without relying on separate key files. Encrypted email services such as employ passphrase-derived keys to secure end-to-end communications, where the passphrase authenticates and encrypts user messages in transit and at rest. Password managers integrate passphrases as master secrets to unlock and derive encryption keys for stored credentials. In , the master passphrase, combined with salting, uses or to generate an encryption key that protects the entire vault, with recommendations for sufficient entropy, such as from a multi-word passphrase, to withstand offline attacks. Likewise, requires a master password (functioning as a passphrase) alongside a unique secret key to derive AES-256 encryption keys, emphasizing passphrase length and randomness for vault security. Within (MFA) frameworks, passphrases fulfill the "something you know" factor, providing the initial layer before secondary verifiers like tokens or are checked, as outlined in NIST SP 800-63B guidelines for . This integration enhances overall system by leveraging passphrase-derived challenges in protocols like TOTP. In applications, passphrases manifest as mnemonic phrases for recovery and key generation. adheres to BIP-39 standards, using 12- to 24-word passphrases derived from to generate hierarchical deterministic keys via with HMAC-SHA512, allowing users to recover access from the memorized phrase alone. For , services like AWS IAM support passphrases as console login credentials, enforcing minimum lengths of 8 characters but recommending longer phrases to meet thresholds for key derivation in access management. As of 2025, post-quantum cryptographic advancements underscore the enduring role of passphrases in hybrid schemes, where their entropy must suffice against reducing symmetric key search space by a quadratic factor, necessitating at least 256 bits for AES-256 equivalence without altering derivation functions like Argon2. Enhanced support in mobile ecosystems includes 18's integration of passphrase-biometric hybrids, where a numeric or alphanumeric passphrase backs up for fallback authentication and key derivation in Secure Enclave operations. Android 15 similarly bolsters passphrase use in credential storage, combining it with biometric prompts for app-level encryption via Keystore, ensuring seamless recovery in privacy-focused updates.

References

  1. https://pages.nist.gov/800-63-4/sp800-63b.html
  2. https://www.sciencedirect.com/science/article/pii/0167404882900256
  3. https://theworld.com/~reinhold/diceware.html
  4. https://www.cyber.gc.ca/en/guidance/best-practices-passphrases-and-passwords-itsap30032
  5. https://www.cisa.gov/news-events/news/choosing-and-protecting-passwords
  6. https://www.fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-tech-tuesday-strong-passphrases-and-account-protection
  7. https://csrc.nist.gov/glossary/term/passphrase
  8. https://cups.cs.cmu.edu/soups/2012/proceedings/a7_Shay.pdf
  9. https://it.ufl.edu/security/learn-security/passwords/
  10. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf
  11. https://xkcd.com/936/
  12. https://its.uiowa.edu/services/hawkid/what-difference-between-password-and-passphrase
  13. https://passwordresearch.com/papers/paper16.html
  14. https://www.rfc-editor.org/info/rfc1760
  15. https://www.varonis.com/blog/data-breach-statistics
  16. https://www.idtheftcenter.org/data-breaches/
  17. https://theworld.com/~reinhold/dicewarefaq.html
  18. https://mattmahoney.net/dc/entropy1.html
  19. https://pages.nist.gov/800-63-3/sp800-63b.html
  20. https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases
  21. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf
  22. https://www.cfc.com/en-us/knowledge/resources/articles/2024/08/cyber-tips-passwords-and-passphrases/
  23. https://www.eff.org/dice
  24. https://bitwarden.com/password-generator/
  25. https://learn.microsoft.com/en-us/windows-server/security/kerberos/passwords-technical-overview
  26. https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
  27. https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings
  28. https://www.sikich.com/insight/how-to-enforce-long-passwords-with-over-14-characters-in-windows/
  29. https://specopssoft.com/blog/password-length-best-practices/
  30. https://support.apple.com/guide/security/password-security-seced1033/mac
  31. https://stackoverflow.com/questions/2179649/are-passwords-on-modern-unix-linux-systems-still-limited-to-8-characters
  32. https://www.man7.org/linux/man-pages/man8/pam_unix.8.html
  33. https://man.freebsd.org/cgi/man.cgi?query=pam_passwdqc
  34. https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
  35. https://support.microsoft.com/en-us/topic/minimum-password-length-auditing-and-enforcement-on-certain-versions-of-windows-5ef7fecf-3325-f56b-cc10-4fd565aacc59
  36. https://www.silverfort.com/blog/understanding-the-security-risks-of-ntlm/
  37. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
Add your contribution
Related Hubs
User Avatar
No comments yet.