I recently tried out a decentralized private messaging tool, it didn’t ask for my personal information to register.

Instead, it only asked me to create a username and set a password, after which it provided me with a mnemonic passcode. (I had never used a mnemonic passcode before, but I learned that it’s a web3 or decentralized type of thing.)

On their FAQ page says “The Mnemonic Passcode is your ONLY SOURCE of backup in a scenario where your device breaks down or becomes unusable due to any reason. In such cases, all you need is your Mnemonic Phrase to recover all your account information. It must be copied, screen-shotted, or written down and kept in a safe and secret place until it is needed.”

Does Mnemonic Passcode more secure than usual password? Plus, is there any other ways to keep you mnemonic phrase?

  • æjinei@lemmy.world
    link
    fedilink
    English
    arrow-up
    45
    arrow-down
    2
    ·
    1 year ago

    I tend to add them to my password manager, which funnily enough also has a recovery phrase which I just keep written down somewhere safe.

    xkcd comic regarding your question of pass phrases vs passwords.

    • Campa@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Lmao, aren’t you doing the same thing for another round? But password manager do makes everything easier, I wonder is it decentralized as well? Cuz if it have a central server to keep all user’s passwords, it might not be safe tho.

      • 7Sea_Sailor@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        16
        ·
        1 year ago

        Classic password managers are not decentralized, and why would they be? If you’re worried about storing your credentials on one central server (the official one), there are plenty of very good options for selfhosting a password manager on your own infrastructure. I will always point out the Vaultwarden project, an implementation of the Bitwarden API thats very efficient on ressources and works near flawlessly with all apps and extensions. A wonderful addition to your homelab or VPS.

        • c1177johuk@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          I can’t recommend KeepassXC enough. And it’s not even hosted either, it’s a simple keepassxc database file. Sharing it across devices is done using any file server or service you want to use.

          • kill_dash_nine@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            After having gone to solutions that allow for simple and seamless password sharing between users, it’s hard for me to go back. Last I checked, none of the Keepass solutions could really seamlessly share passwords and have them update in some fashion without manual user intervention. That being said, I used it for a long time in my Dropbox and then Own/Nextcloud before moving to a password service, Lastpass and then Vaultwarden after the Lastpass security fumbles.

      • d3Xt3r@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        Instead of * warden, just use the tried and trusted KeePass, no need to run your own server. KeePassXC is a nice open-source alternative client, and KeePassDX is it’s Android equivalent. You can keep your password file in sync with other devices by using your favorite cloud backup or sync tool. The best part is, KeePass supports auto-type, which *warden and other cloud-based password managers don’t. Auto-type is handy when you want to input your password into a program that’s not a web page, or you’re accessing something via remote desktop etc.

    • Haui@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      This exact comic was what led me to change my whole password philosophy. Since then, I have hundreds of easy to memorize but insanely long passwords. I love that comic.

      • Taringano@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I wish I could do that it every place apparently feels the need to invent a new requirement for password composition.

        1 symbol, then 2 symbols, then at least 2 numbers, then can’t have some “easy to guess words” in the middle (like wtf?) or require maximum of 12 characters. It’s so frustrating. It’s impossible to have a easy to remember passwords because all of them have to be slightly different depending on the case.

        And what pisses me off the most is they don’t tell me when I am. Authenticating “remember this one’s needs 2 symbols and at least 10 characters” or whatever.

        Sorry I get really worked up. About this.

        And the worst part is the least important the service the more requirements it has.

        • Haui@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Yes, tell me about it! The fact that services just do not tell you their requirement sometimes really sucks. I mean, if you cant do easy and you have a vault then you can go generated for those sites and done. I do have some site specific passwords too but mostly they’re easy to remember and insanely long.

          • its_pizza@sopuli.xyz
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            And then you use a generator and vault, but there’s some stupid caveat like “you can’t use the ^ character.”

      • lnxtx@feddit.nl
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        They are generated on the server’s side, not by JS.

        Use with caution.

        • glibg10b@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Thanks, I’ll stop using it. I don’t want my passwords to end up in some wordlist

    • chicken@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It might be good enough for web passwords, but coming up with your own mnemonics is not truly secure because there are discoverable patterns in anything people come up with themselves, it isn’t actually random. If you order words in such a way to make it easier for you to remember it also makes it easier to bruteforce. Lots of crypto wallets where people tried to do this were remotely drained.

      Doing this is only safe if the words are selected with secure RNG of some kind.

  • N3Cr0@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    1
    ·
    1 year ago

    A passphrase is much longer than a password, and therefor provides more enthropy, even when it’s completely mnemonic.

    You should store it in an encrypted database with a password manager. But you also have to secure this database - with either a password or passphrase. And do not forget about a 2nd factor, like a key which you have to store somewhere. Maybe encrypt that one, too.

    No matter how many steps of security do have: There will be a master password/passphrase, and you shouldn’t write it down in clear text! So better find a way (some kind of secret algorithm, stored in your brain) to reproduce your master pass.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 year ago

    ignore this… read the reply below for the right answer.

    — original message ----

    The mnemonic passcode is just a way for you to more easily remember a long randomized string. So instead of ACDEF it’s Alfa Charlie Delta echo foxtrot. The entropy is there in the original letters. Just a technique to make it easier to remember and type in without error

      • Square Singer@feddit.de
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        The description of @[email protected] is actually not correct.

        Every password/passcode/passphrase consists of a string of symbols. The amount of possible combinations is the number of unique symbols to the power of the number of symbols.

        Say you got a regular password with 60 possible unique characters and a length of 18 characters (matching the number of symbols your mnemonic passcode has). That gives you 60^18 ~= 10^32 possible combinations.

        The mnemonic passcodes don’t just map one word to one character, instead, a symbol here is one word from a dictionary. So if the dictionary has 5000 words in it, your passcode has 5000^18 ~= 10^66 possible combinations, which is roughly as strong as if you require the user to enter 10^34 regular 18-character passwords.

        • Reborn2966@feddit.it
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          but no one is creating a pass phrase 18 word long. how does a password compare to 4/5 word pass phrase? maybe adding - in the middle and a number at the end (bitwarden format)

          • TheKoala73@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            afaik it’s not uncommon for software to generate mnemonic passcodes at least that long. Brave browser uses a 25 word phrase for its sync chain, e.g. But I guess you’re right: if I had to think of a mnemonic passcode, I probably wouldn’t use more than 4 or 5 words either…

            If I did the maths right, you would need a mnemonic passcode of 9 words out of our dictionary of 5000 words to be at least as strong as our password with 18 characters out of 60 possible unique characters. (It’s closer to 8.6 words, but we obviously can’t allow fractions of words…)

            Using our 5000 words dictionary, a 4-word mnemonic passcode would be equivalent to a password with between 8-9 characters and a 5-word mnemonic passcode would be equivalent to a password with between 10-11 characters.

            As far as I know, the character used to separate the words/symbols is irrelevant, so whether you use “word-word-word” or “word word word” or “word.word,word” would be the same. Also, if you slightly modify a word (e.g. by replacing al letter with a digit), that shouldn’t make a difference. Correct me if I’m wrong. What I don’t know is what happens if you add a number as an extra symbol.

            I also did some calculations using English words as dictionary (although the number of English words is quite difficult to determine because it makes a huge difference what dictionary you use). To get a rough estimate of the numbers I have tried to stick to the rule that a word should be in the official Scrabble dictionary for my web search. These are the rough numbers I found: 1000 3-letter words, 4000 4-letter words, 15000 5-letter words, 23000 6-letter words, 35000 7-letter words and 42000 8-letter words. That would give us a dictionary of about 20000 English words with up to 5 letters and about 120000 English words with up to 8 letters.

            Based on that, the mnemonic passcode would have to have 8 words (out of the 20000) and 7 words (out of the 120000) to be at least as strong as our 18 character password. Or, based on the 120000 English words with up to 8 letters, a 4-word passcode would be equivalent to a password with 11-12 characters and a 5-word passcode would be equivalent to a password with 14-15 characters.

            Edit: spelling

            • Square Singer@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              Extending/modifying the words does extend the number of unique symbols, thus giving you much more possible symbols, but it does defeat the purpose of mnemonic passphrases, since they then aren’t mnemonic anymore.

              If you want to add more security, you could just add another word. Gives you more additional security while keeping the amount of memorizing lower.

              The point of mnemonic passphrases is that they are easier to remember since you only have to remember fewer symbols. So “high entropy” symbols are chosen.

              A single word out of a 120000 word dictionary carries ~16.5 bits of entropy (that’s the unit of measuring information density). A single character out of a set of 64 possible characters only carries 6 bits of entropy, and a single digit only carries slightly over 3 bits of entropy.

              So for memorizing a word, you get about as much entropy as you get for memorizing 2.5 characters or 5.5 digits.

              So say your password consits of 4 words with one digit added to each of them, you need to memorize 8 symbols and get ~79 bits of entropy.

              If you just remember 5 words, that’s 5 symbols to remember and you get 82.5 bits of entropy out of it.

              Remember: each bit doubles the difficulty to guess your password. So 3.5 additional bits is ~11 times as difficult.

          • Square Singer@feddit.de
            link
            fedilink
            English
            arrow-up
            0
            ·
            1 year ago

            I was referencing the example of the OP, and that was 18 words.

            But we can do the math for more realistic passwords/passphrases.

            Password with 8 characters and 60 unique symbols: ~10^14 combinations

            Passphrase with 4 words and 5000 unique symbols (words): ~10^16 combinations

            Passphrase with 5 words and 5000 unique symbols: ~10^20

            So yes, 4-5 words beats 8 characters. You can do the math yourself for any combination you want.

            It’s just [number of unique possible symbols] ^ [number of characters/words in the password].

  • Jat620DH27@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    Many Web3 crypto wallets, such as MetaMask and Uniswap, use Mnemonic Phrases to improve security. Which app you are referring to?

    • dhork@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      In the crypto world, it is a bit different. The words are chosen out of a pre-set dictionary of 2048 words, making each word the equivalent of an 11-bit number. Your 24-word mnemonic is actually an encoding of a 256-bit number, with some checksum bits at the end.

  • U+1F914 🤔@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    The security of a fully random password depends on the number of available symbols (alphabet) and the length.
    The strength of the password is simply symbolcount^length.

    For a conventional password the symbols/alphabet are characters, numbers and special characters.
    For a mnemonic the symbols are simply full words and the “alphabet” is a list with a couple thousand words.

    Mnemonic passwords are secure because of their large alphabet, and easy to remember because of the lower length (in symbols) and because human brains are good at coming up with associations (usually stories) for random words.
    If you want to generate your own mnemonic password you can try diceware.
    With diceware you roll a few dice to select random words from a list.

  • 𝜏au@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    edit-2
    1 year ago

    It is (or can be) just as secure as a non-mnemonic passcode. The mnemonic aspect just helps with typing it out without errors.

    You’re not really supposed to remember the mnemonic passcode, but save it in your password manager and/or print it out and store it in a secure location.

    Now if you need to use your printed out mnemonic passcode, you just have to type in a bunch of normal words instead of a very long list of random characters and symbols, where it’s easy to make mistakes.

      • Jajcus@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        In enhances security by allowing high-entropy passwords to be easy to remember and write, so you have no incentive to use short/simple low-entropy (insecure) passwords.

  • Rooster@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    “Security” isn’t a fair comparison here. They’re apples and oranges. Passwords are secrets for authentication. Mnemonic passcodes encode information, like a private key. You DO want to keep it secret but it’s much more functional than a password.

    • Pseu@kbin.social
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Quantum computers don’t break encryption by guessing passwords, it breaks encryption by being able to quickly factor extremely large numbers. What password is used doesn’t matter, it’s a more direct attack on the algorithm itself.