Password Tips

The Advantages of Passphrases

person

Safe Pass Team

Editorial

Published

Introduction

Using a passphrase consisting of several words, known as a seed phrase, offers significant advantages in terms of safety and usability compared to randomly generated strings. This approach, commonly used in crypto wallets and based on standards like BIP39, enhances security while maintaining user-friendliness.

Advantages of Passphrases

  1. Ease of Memorisation — A passphrase made up of words is easier to remember than a random string of characters. Users can better recall meaningful phrases, reducing the risk of losing or forgetting their seed phrase.

  2. Reduced Risk of Human Error — Passphrases with words decrease the likelihood of mistakes while copying or typing, minimising the chance of losing access to accounts or funds. The visual recognition and verification of each word contribute to a lower risk of error.

  3. Resistance to Brute-Force Attacks — Passphrases composed of multiple words, particularly when chosen from a diverse wordlist, provide strong resistance against brute-force attacks. The larger number of possible combinations makes it computationally expensive and time-consuming for attackers to guess the correct phrase.

  4. Better User Adoption and Usability — Using a passphrase consisting of words promotes broader user adoption and improves usability. Random strings can be daunting, especially for non-technical users. By utilising familiar and intuitive passphrase formats, tools can reach a wider audience.

Optimal Length for Seed Phrases

According to the BIP39 specification, a secure seed phrase typically consists of 12 to 24 words, with 12 words being the most common and widely supported option. This range strikes a balance between usability and security.

  • A 12-word passphrase provides a high level of security, with an incredibly large number of possible combinations (approximately 5.4445179 × 10^39).
  • A 24-word passphrase significantly increases security, offering an even larger number of combinations (approximately 1.0768288 × 10^77).

Comparing Shorter Passphrases

While using a four-word passphrase for app and website passwords may be reasonable, it’s important to consider specific context and requirements. Factors to consider include password strength, password policies of the applications, sensitive information involved, and the value of the account. Longer, more complex passwords are generally advisable for higher security.

Brute-Force Attack Time

The time required to perform a brute-force attack on different lengths of passphrases can vary significantly. While it depends on various factors such as computational power and attack strategy, it’s useful to understand the scale of the numbers involved:

  • A two-word passphrase (~4,194,304 combinations) could be cracked in minutes to hours.
  • A three-word passphrase (~8,589,934,592 combinations) would take significantly longer, potentially weeks or months.
  • A four-word passphrase (~17,592,186,044,416 combinations) would require months to years.
  • A five-word passphrase (~36,028,797,018,963,968 combinations) would take centuries or more.

Contextual Comparisons

To put these large numbers into context:

  • A two-word passphrase (~4,194,304 combinations) is comparable to the approximate number of seconds in 48 days.
  • A three-word passphrase (~8,589,934,592 combinations) is roughly equivalent to the number of grains of sand in a small sandbox.
  • A four-word passphrase (~17,592,186,044,416 combinations) can be compared to the estimated number of stars in 13,000 Milky Way galaxies.
  • A five-word passphrase (~36,028,797,018,963,968 combinations) is roughly comparable to the number of litres of water in all the Earth’s oceans.

Conclusion

Using a passphrase consisting of multiple words, such as a BIP39 seed phrase, provides a safer and more user-friendly approach to securing accounts. It reduces the risk of human error, enhances memorisation, offers strong resistance against brute-force attacks, and promotes better user adoption. Following the BIP39 standard, a seed phrase with 12 to 24 words strikes a balance between security and usability.

Remember, while longer passphrases exponentially increase security, additional factors such as two-factor authentication and adherence to other security best practices also contribute to overall account safety.

Passphrases BIP39 Entropy