I recently tried out a decentralized private messaging tool, it didn’t ask for my personal information to register.

Instead, it only asked me to create a username and set a password, after which it provided me with a mnemonic passcode. (I had never used a mnemonic passcode before, but I learned that it’s a web3 or decentralized type of thing.)

On their FAQ page says “The Mnemonic Passcode is your ONLY SOURCE of backup in a scenario where your device breaks down or becomes unusable due to any reason. In such cases, all you need is your Mnemonic Phrase to recover all your account information. It must be copied, screen-shotted, or written down and kept in a safe and secret place until it is needed.”

Does Mnemonic Passcode more secure than usual password? Plus, is there any other ways to keep you mnemonic phrase?

  • Square Singer@feddit.de
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    The description of @[email protected] is actually not correct.

    Every password/passcode/passphrase consists of a string of symbols. The amount of possible combinations is the number of unique symbols to the power of the number of symbols.

    Say you got a regular password with 60 possible unique characters and a length of 18 characters (matching the number of symbols your mnemonic passcode has). That gives you 60^18 ~= 10^32 possible combinations.

    The mnemonic passcodes don’t just map one word to one character, instead, a symbol here is one word from a dictionary. So if the dictionary has 5000 words in it, your passcode has 5000^18 ~= 10^66 possible combinations, which is roughly as strong as if you require the user to enter 10^34 regular 18-character passwords.

    • Reborn2966@feddit.it
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      but no one is creating a pass phrase 18 word long. how does a password compare to 4/5 word pass phrase? maybe adding - in the middle and a number at the end (bitwarden format)

      • TheKoala73@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        afaik it’s not uncommon for software to generate mnemonic passcodes at least that long. Brave browser uses a 25 word phrase for its sync chain, e.g. But I guess you’re right: if I had to think of a mnemonic passcode, I probably wouldn’t use more than 4 or 5 words either…

        If I did the maths right, you would need a mnemonic passcode of 9 words out of our dictionary of 5000 words to be at least as strong as our password with 18 characters out of 60 possible unique characters. (It’s closer to 8.6 words, but we obviously can’t allow fractions of words…)

        Using our 5000 words dictionary, a 4-word mnemonic passcode would be equivalent to a password with between 8-9 characters and a 5-word mnemonic passcode would be equivalent to a password with between 10-11 characters.

        As far as I know, the character used to separate the words/symbols is irrelevant, so whether you use “word-word-word” or “word word word” or “word.word,word” would be the same. Also, if you slightly modify a word (e.g. by replacing al letter with a digit), that shouldn’t make a difference. Correct me if I’m wrong. What I don’t know is what happens if you add a number as an extra symbol.

        I also did some calculations using English words as dictionary (although the number of English words is quite difficult to determine because it makes a huge difference what dictionary you use). To get a rough estimate of the numbers I have tried to stick to the rule that a word should be in the official Scrabble dictionary for my web search. These are the rough numbers I found: 1000 3-letter words, 4000 4-letter words, 15000 5-letter words, 23000 6-letter words, 35000 7-letter words and 42000 8-letter words. That would give us a dictionary of about 20000 English words with up to 5 letters and about 120000 English words with up to 8 letters.

        Based on that, the mnemonic passcode would have to have 8 words (out of the 20000) and 7 words (out of the 120000) to be at least as strong as our 18 character password. Or, based on the 120000 English words with up to 8 letters, a 4-word passcode would be equivalent to a password with 11-12 characters and a 5-word passcode would be equivalent to a password with 14-15 characters.

        Edit: spelling

        • Square Singer@feddit.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Extending/modifying the words does extend the number of unique symbols, thus giving you much more possible symbols, but it does defeat the purpose of mnemonic passphrases, since they then aren’t mnemonic anymore.

          If you want to add more security, you could just add another word. Gives you more additional security while keeping the amount of memorizing lower.

          The point of mnemonic passphrases is that they are easier to remember since you only have to remember fewer symbols. So “high entropy” symbols are chosen.

          A single word out of a 120000 word dictionary carries ~16.5 bits of entropy (that’s the unit of measuring information density). A single character out of a set of 64 possible characters only carries 6 bits of entropy, and a single digit only carries slightly over 3 bits of entropy.

          So for memorizing a word, you get about as much entropy as you get for memorizing 2.5 characters or 5.5 digits.

          So say your password consits of 4 words with one digit added to each of them, you need to memorize 8 symbols and get ~79 bits of entropy.

          If you just remember 5 words, that’s 5 symbols to remember and you get 82.5 bits of entropy out of it.

          Remember: each bit doubles the difficulty to guess your password. So 3.5 additional bits is ~11 times as difficult.

      • Square Singer@feddit.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        I was referencing the example of the OP, and that was 18 words.

        But we can do the math for more realistic passwords/passphrases.

        Password with 8 characters and 60 unique symbols: ~10^14 combinations

        Passphrase with 4 words and 5000 unique symbols (words): ~10^16 combinations

        Passphrase with 5 words and 5000 unique symbols: ~10^20

        So yes, 4-5 words beats 8 characters. You can do the math yourself for any combination you want.

        It’s just [number of unique possible symbols] ^ [number of characters/words in the password].