I recently tried out a decentralized private messaging tool, it didn’t ask for my personal information to register.
Instead, it only asked me to create a username and set a password, after which it provided me with a mnemonic passcode. (I had never used a mnemonic passcode before, but I learned that it’s a web3 or decentralized type of thing.)
On their FAQ page says “The Mnemonic Passcode is your ONLY SOURCE of backup in a scenario where your device breaks down or becomes unusable due to any reason. In such cases, all you need is your Mnemonic Phrase to recover all your account information. It must be copied, screen-shotted, or written down and kept in a safe and secret place until it is needed.”
Does Mnemonic Passcode more secure than usual password? Plus, is there any other ways to keep you mnemonic phrase?
ignore this… read the reply below for the right answer.
— original message ----
The mnemonic passcode is just a way for you to more easily remember a long randomized string. So instead of ACDEF it’s Alfa Charlie Delta echo foxtrot. The entropy is there in the original letters. Just a technique to make it easier to remember and type in without error
Oh! That’s why they are words, not letters
The description of @[email protected] is actually not correct.
Every password/passcode/passphrase consists of a string of symbols. The amount of possible combinations is the number of unique symbols to the power of the number of symbols.
Say you got a regular password with 60 possible unique characters and a length of 18 characters (matching the number of symbols your mnemonic passcode has). That gives you 60^18 ~= 10^32 possible combinations.
The mnemonic passcodes don’t just map one word to one character, instead, a symbol here is one word from a dictionary. So if the dictionary has 5000 words in it, your passcode has 5000^18 ~= 10^66 possible combinations, which is roughly as strong as if you require the user to enter 10^34 regular 18-character passwords.
oh neat, thank you for the helpful correction
but no one is creating a pass phrase 18 word long. how does a password compare to 4/5 word pass phrase? maybe adding - in the middle and a number at the end (bitwarden format)
afaik it’s not uncommon for software to generate mnemonic passcodes at least that long. Brave browser uses a 25 word phrase for its sync chain, e.g. But I guess you’re right: if I had to think of a mnemonic passcode, I probably wouldn’t use more than 4 or 5 words either…
If I did the maths right, you would need a mnemonic passcode of 9 words out of our dictionary of 5000 words to be at least as strong as our password with 18 characters out of 60 possible unique characters. (It’s closer to 8.6 words, but we obviously can’t allow fractions of words…)
Using our 5000 words dictionary, a 4-word mnemonic passcode would be equivalent to a password with between 8-9 characters and a 5-word mnemonic passcode would be equivalent to a password with between 10-11 characters.
As far as I know, the character used to separate the words/symbols is irrelevant, so whether you use “word-word-word” or “word word word” or “word.word,word” would be the same. Also, if you slightly modify a word (e.g. by replacing al letter with a digit), that shouldn’t make a difference. Correct me if I’m wrong. What I don’t know is what happens if you add a number as an extra symbol.
I also did some calculations using English words as dictionary (although the number of English words is quite difficult to determine because it makes a huge difference what dictionary you use). To get a rough estimate of the numbers I have tried to stick to the rule that a word should be in the official Scrabble dictionary for my web search. These are the rough numbers I found: 1000 3-letter words, 4000 4-letter words, 15000 5-letter words, 23000 6-letter words, 35000 7-letter words and 42000 8-letter words. That would give us a dictionary of about 20000 English words with up to 5 letters and about 120000 English words with up to 8 letters.
Based on that, the mnemonic passcode would have to have 8 words (out of the 20000) and 7 words (out of the 120000) to be at least as strong as our 18 character password. Or, based on the 120000 English words with up to 8 letters, a 4-word passcode would be equivalent to a password with 11-12 characters and a 5-word passcode would be equivalent to a password with 14-15 characters.
Edit: spelling
Extending/modifying the words does extend the number of unique symbols, thus giving you much more possible symbols, but it does defeat the purpose of mnemonic passphrases, since they then aren’t mnemonic anymore.
If you want to add more security, you could just add another word. Gives you more additional security while keeping the amount of memorizing lower.
The point of mnemonic passphrases is that they are easier to remember since you only have to remember fewer symbols. So “high entropy” symbols are chosen.
A single word out of a 120000 word dictionary carries ~16.5 bits of entropy (that’s the unit of measuring information density). A single character out of a set of 64 possible characters only carries 6 bits of entropy, and a single digit only carries slightly over 3 bits of entropy.
So for memorizing a word, you get about as much entropy as you get for memorizing 2.5 characters or 5.5 digits.
So say your password consits of 4 words with one digit added to each of them, you need to memorize 8 symbols and get ~79 bits of entropy.
If you just remember 5 words, that’s 5 symbols to remember and you get 82.5 bits of entropy out of it.
Remember: each bit doubles the difficulty to guess your password. So 3.5 additional bits is ~11 times as difficult.
deleted by creator
thank you for the math <3
i now need to change my bitwarden master password :)
speaking of it, I need to change one or two master passwords, too… 🙈
I was referencing the example of the OP, and that was 18 words.
But we can do the math for more realistic passwords/passphrases.
Password with 8 characters and 60 unique symbols: ~10^14 combinations
Passphrase with 4 words and 5000 unique symbols (words): ~10^16 combinations
Passphrase with 5 words and 5000 unique symbols: ~10^20
So yes, 4-5 words beats 8 characters. You can do the math yourself for any combination you want.
It’s just [number of unique possible symbols] ^ [number of characters/words in the password].
thank you!