Passphrase question

[dkbit98]

Do you think it's better for security that passphrases have spaces between words or not?
Space is consider as character in passphrase, but some people may made a mistake and ignore them.

For example in this random six word passphrase:

Code:

penny demand local fellowship railroad happen

or

Code:

pennydemandlocalfellowshiprailroadhappen

This two are obviously totally different passphrases even if they contain exact same six words, and only difference is spaces.
Do you know what option has better entropy and why?

[Charles-Tim]

What I just know is that if you want stronger passphrase, you should add extra characters to it like *"&$#@% and the likes. Having only words can not be as strong as adding more different characters

Like:

Code:

Chy$;"-Shsh;$;$&#-:4:$nsgdgshdvs";"-#$+_$;@($dC

But we have to be very careful of the passphrase we use because if lost, the whole funds is gone if the present wallet is not accessible, and if the present wallet is accessible, the best is to send the whole funds to another wallet which its seed phrase and passphrase is differently and properly backup offline.

[ABCbits]

Here's answer from KeePassXC password/passphrase generator, when both are treated as password.

Code:

penny demand local fellowship railroad happen

101.76 bit

Code:

pennydemandlocalfellowshiprailroadhappen

63.60 bit

According to KeePassXC blog (https://keepassxc.org/blog/2020-08-15-keepassxc-password-healthcheck/), it uses zxcvbn algorithm (https://dropbox.tech/security/zxcvbn-realistic-password-strength-estimation).

[o_e_l_e_o]

I would consider them very similar, and certainly not the huge difference that KeePassXC has suggested. The problem with the zxcvbn algorithm is that it assumes anyone attacking the password knows the structure of the password. So in this case, the entropy calculations are based on the fact that an attacker knows the password is 6 dictionary words, with or without spaces respectively.

If someone was to attack those two passwords using a plain brute force attack without knowing the structure of the password, then the difference in entropy between the two passwords is 296 bits v 263 bits, with the 33 bit difference being explained by there being 5 more characters (with 95 printable ASCII characters in total) in the first password.

If you assume an attacker knows you are only using lower case letters and spaces, then that difference becomes 214 bits v 190 bits.

If someone was to attack those two passwords using a dictionary attack, then technically they are the same amount of entropy, somewhere in the region of 100 bits (assuming a 100,000 word dictionary), and which one was more secure would depend on whether your attacker was including spaces in their dictionary attack or not. I'm not sure, but I would assume most dictionary attacks do not include spaces, which would make the one with spaces more secure.

In some cases though, spaces would add a significant amount of entropy. For example, the passphrase:

Code:

demand fellow ship rail road happen

Is 6 dictionary words, whereas the passphrase:

Code:

demandfellowshiprailroadhappen

Is only 4, since fellow-ship and rail-road have been combined in to one dictionary word.

So, considering all of the above, I would add spaces.

[n0nce]

Please keep in mind it depends a lot on your attacker model and how they approach the key cracking. It is safe to assume they try all major methods, such as brute-force AND dictionary attacks, using various different alphabets and dictionaries to maximize success chances.

A webpage that tells you the brute-force security of a password, doesn't paint the whole picture, if it ignores aforementioned dictionary attacks.

A few thoughts about the space-separated password:
If you're brute-forcing with only alphanumerics, you will never find the password with spaces
If you're brute-forcing with alhpanumerics and special characters, you will find it, but the increased entropy means it will take longer
With a dictionary attack, both passwords should be relatively quick to find since they consist of standard dictionary words

So I guess both have their up- and downsides, and since a good attacker will use every technical way they can, the choice won't make much of a difference. I would highly suggest to stay away from dictionary words for passwords. Some people like to use words, but replacing some characters, either through leet-speech or other characters. For example, replace 'password' with 'passw0rd', however this is nowadays often taken into consideration in various dictionary-based attack programs. If however, you come up with something more sophisticated, it might yield higher security, like going from 'password' to 'p_ssw#rD'. This is not super technical, but you get the idea.

The more truly random the password is, the better. Length is less important than entropy in my opinion.

[Timelord2067]

Just as a modification of the suggestions put in previous posts:

Code:

penny[demand?localAfellowship9railroad+happen

Knowing the pass phrase and the series of extra key strokes above, the text can be stored seperate to the extra key strokes e.g.

Code:

[?A9+

One is written down, the other is a memory file.


https://www.grc.com/haystack.htm says the above is:

Search Space Depth (Alphabet):   26+26+10+33 = 95
Search Space Length (Characters):   45 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)   100,498,132,061,423,231,
081,347,094,786,846,413,
309,955,071,322,107,441,
008,599,073,242,332,954,
752,318,402,554,126,495
Search Space Size (as a power of 10):   1.00 x 10^89
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second)   31.96 thousand trillion trillion trillion trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)   3.20 hundred million trillion trillion trillion trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)   3.20 hundred thousand trillion trillion trillion trillion trillion centuries

A totally DIFFERENT end point as you can't anticipate what the extra characters are and a result in the thousands of times extra length to crack.

[NeuroticFish]

Code:

penny[demand?localAfellowship9railroad+happen

I find this a rather unnecessary over-complication. One may easily forget this rule in 10 years.
I think that's more important the number of words. I think that it could be more useful if not all are actual real words, but, again, it's better to not over-complicate the things.
Overall, I agree pretty much with

Both are good for security. Comparing them is like comparing the  volumes of water in the Pacific ^{(707.5 million km3 of water)} and Atlantic^{(323 million km3 of water)} oceans. Atlantic has less water that Pacific but  it doesn't really matter for that one who wanna  bail out  from  ocean  using a glass.

[NotATether]

Security-wise, it doesn't make a difference because attackers who know some people use pass-phrases will just brute force word combinations, using any separator such as space or special character, and they'll also try the combo with no separators at all as well. It is very easy to script (and also it annoys password strength checkers if there are no special characters in the password).

[PrivatePerson]

passphrase = brainwallet phrases?
if I enter 12 words from my wallet in the brainwallet, will I get the same private key?

[NotATether]

passphrase = brainwallet phrases?
if I enter 12 words from my wallet in the brainwallet, will I get the same private key?

Nah, we're not discussing brainwallet passphrases - Brainwallets are completely insecure and it's been known for a long time now (and no, your seed phrase will NOT give you the same private key if you use it as a brainwallet phrase - because a BW phrase only makes 1 key, however a seed phrase can derive practically an unlimited number of keys using multiple derivation levels.)

[pooya87]

Security-wise, it doesn't make a difference because attackers who know some people use pass-phrases will just brute force word combinations, using any separator such as space or special character, and they'll also try the combo with no separators at all as well.

That's a contradiction. If they have to also check the combination with and without separator that means they are doubling their effort and it would take roughly twice the time to check all passwords. That translates into an increased security.

[NeuroticFish]

Security-wise, it doesn't make a difference because attackers who know some people use pass-phrases will just brute force word combinations, using any separator such as space or special character, and they'll also try the combo with no separators at all as well.

That's a contradiction. If they have to also check the combination with and without separator that means they are doubling their effort and it would take roughly twice the time to check all passwords. That translates into an increased security.

True. Just after a certain "safe" level it no longer matters if the security is increased.
I mean that while the difference clearly exists in theory, the difference no longer matters practically. I think that this was the point.

At this level I would be more worried of dictionary based attacks and adding non-existing "words" than the separators that might actually help the hacker.

[o_e_l_e_o]

That's a contradiction. If they have to also check the combination with and without separator that means they are doubling their effort and it would take roughly twice the time to check all passwords. That translates into an increased security.

But if a dictionary attacker does not know if you have used spaces or not, then both provide the same amount of security in most cases, excluding word contractions as I discussed above. Which one actually ended up being more secure would depend if an attacker searched all possibilities with spaces first or without spaces first. If they searched a string with and without spaces at the same time, then it doesn't matter.

Honestly, if you are concerned enough about the entropy of your passphrase or security of your wallets to worry significantly about whether or not you should include spaces, then the better option would probably be to just add a few more words to your passphrase.