# I am the Watcher. I am your guide through this vast new twtiverse.
# 
# Usage:
#     https://watcher.sour.is/api/plain/users              View list of users and latest twt date.
#     https://watcher.sour.is/api/plain/twt                View all twts.
#     https://watcher.sour.is/api/plain/mentions?uri=:uri  View all mentions for uri.
#     https://watcher.sour.is/api/plain/conv/:hash         View all twts for a conversation subject.
# 
# Options:
#     uri     Filter to show a specific users twts.
#     offset  Start index for quey.
#     limit   Count of items to return (going back in time).
# 
# twt range = 1 14
# self = https://watcher.sour.is/conv/ji42lkq
prologic
twtxt.net
View Thread
Q: Are passphrases really more secure than cryptographically random passwords? 🤔

I have to wonder... It _should_ be possible to do "passphrase" attacks just like "dictionary" attacks? How is a "phrase" any different to the character set you can type? Sure there are more possible "words" (at least) in the English language, but I'm not convinced.
prologic
twtxt.net
View Thread
Q: Are passphrases really more secure than cryptographically random passwords? 🤔

I have to wonder... It _should_ be possible to do "passphrase" attacks just like "dictionary" attacks? How is a "phrase" any different to the character set you can type? Sure there are more possible "words" (at least) in the English language, but I'm not convinced.
mckinley
twtxt.net
View Thread
@prologic They can be more secure or not. It depends on how long it is, just like a string of random characters. You can also add some random special characters into the passphrase to throw off an attacker.

The main benefit of a passphrase is the relative ease at which it is memorized. A good, long passphrase with a couple of special characters thrown in is quite secure. The list of words that you made your passphrase out of might be public, but the attacker probably doesn't know which one you used unless you tell him.
prologic
twtxt.net
View Thread
@mckinley You are right, I _think_ it's important to pick an appropriate "length" -- Length here would mean (IMO) number of words in the phrase. I tend to think that if you don't also throw in some special characters or padding to throw off a "phrase"-based attack, then it's argulably weaker than a password made up of random characters? 🤔
prologic
twtxt.net
View Thread
@mckinley You are right, I _think_ it's important to pick an appropriate "length" -- Length here would mean (IMO) number of words in the phrase. I tend to think that if you don't also throw in some special characters or padding to throw off a "phrase"-based attack, then it's argulably weaker than a password made up of random characters? 🤔
retrocrash
twtxt.net
View Thread
@prologic

passwords for the most part are dead. high-entropy bit mnemonics are the way.

have a look at the bip-39 spec. theoretically unbreakable given a proper implementation. the caveat is many services don't allow for a charset > 50 which forces the consumer to reduce entropy bits by way of varchar constraints.

while a passphrase or mnemonic with a length of 8 words ie: red glue seven wifi belief bacon zebra pipe is rather strong, it's also the sequence of the words that contribute to the breakage. if you were to set prologic builds software that needs some maintainers today this would be simpler in theory to crack since the progression of words forms a common speech pattern which can be brute forced easier.

this would make a good friday call
prologic
twtxt.net
View Thread
@retrocrash Interesting 🤔
prologic
twtxt.net
View Thread
@retrocrash Interesting 🤔
xuu
txt.sour.is
View Thread
I believe the benefit/risk calculation is that a passphrase is more memorable to users then a random string of alnum + symbol. i can remember the 20-30 chars in a passphrase quicker and longer than a 8-10 random.

ultimately they hold nowhere near the benefit of passphrase + MFA
xuu@dev.txt.sour.is
dev.txt.sour.is
View Thread
I believe the benefit/risk calculation is that a passphrase is more memorable to users then a random string of alnum + symbol. i can remember the 20-30 chars in a passphrase quicker and longer than a 8-10 random.

ultimately they hold nowhere near the benefit of passphrase + MFA
carsten
yarn.zn80.net
View Thread
I use long passphrase. I keep them in my password manager and if I need to type them, it is much easier to type.
eaplmx
twtxt.net
View Thread
@retrocrash yep, I was going to share the bip-39 spec, thanks for pointing it out.
A regular passphrase, like taking a random quote from a book is not ideal, perhaps the equivalent to using 'password123'

I switched from using long random passwords like 
qayxTW7rr8T95V8b8ZHV4QMHcaTssVqDwEEr3Hzr

to
Ream4-Cope-Daringly-Waving-Likeness-Urchin-Arise


They are easier to type, and have similar entropy (if used correctly)

As @retrocrash says, the real problem is with 
allowed_chars <= 50
even for long passwords or simpler passphrases, which is stupid since the hashed password uses the same amount of chars. Perhaps allowing up to 100 or 200 chars is good enough, and maybe rejecting some special characters like emojis, no idea.
retrocrash
twtxt.net
View Thread
@eaplmx indeed and thank you for unpacking further. your use of mnemonics is a good substitute for complex long passwords (still better than dog1234).

and if you have issues with typing, some form of password manager is helpful. unless of course it's your luks partition or something else then you should burn this into the cortex.
retrocrash
twtxt.net
View Thread
@xuu of course, mfa goes without saying. passphrase+mfa wins every time. i was delving more into the cryptography and mathematics behind it coming from a lot of research in this area. but point well received.