IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [passphrase]

A passphrase is a longer password that typically consists of multiple words.

A passphrase is a kind of password that consists of several words. There is no fundamental difference between a passphrase and a password; a passphrase is expected to be longer. For generic questions about the generation, storage, usage, verification, etc. of passwords, use the tag . Use the tag for questions that are specifically about multiple-word passwords.

128 questions
111
votes
5 answers

How to check if an SSH private key has passphrase or not?

Let's say I have access to the private portion of an RSA key-pair. How can I check if this key has associated passphrase or not?
kung
  • 1,309
  • 2
  • 8
  • 9
98
votes
3 answers

What's the advantage of using PBKDF2 vs SHA256 to generate an AES encryption key from a passphrase?

I'm looking at two comparable pieces of software which encrypt data on disk using a passphrase. One uses PBKDF2 to generate the encryption key from a passphrase, while the other uses two rounds of SHA256. What's the difference? Is one preferred over…
Andrey Fedorov
  • 1,303
  • 1
  • 10
  • 12
77
votes
10 answers

If I enter a password on the wrong site, should I consider it compromised?

I have recently started to make use of a password manager and good password practices. I have a different password for each site that I use. If I accidentally use the password from another site when logging in to a webpage, should I consider the…
JonnyWizz
  • 1,971
  • 1
  • 14
  • 34
68
votes
2 answers

Pre-hash password before applying bcrypt to avoid restricting password length

Good practice is not to unnecessarily restrict password length, so that appropriately-long passphrases (perhaps 35-45 chars for 6/7 dicewords) can be used. (See e.g. Should I have a maximum password length? where a maximum of 1K is suggested, to…
Misha
  • 2,699
  • 2
  • 19
  • 17
37
votes
5 answers

Password manager: safer on laptop or on smartphone?

I want to recommend a password manager to my non-tech friends and family and help them set it up and use it. One of the decisions I have to make is whether I recommend one that works on laptops or one that works on smartphones. Smartphones: Have…
Luc
  • 31,973
  • 8
  • 71
  • 135
36
votes
4 answers

Can a dictionary attack crack a Diceware passphrase?

Everyone knows the words used in Diceware passwords (all 6^5 = 7776 words are published) -- they're all common words. Everyone seems to know that we're not supposed to use dictionary words for passwords because the "dictionary attack" can rapidly…
David Cary
  • 2,720
  • 4
  • 19
  • 20
33
votes
2 answers

ssh-keygen: What is the passphrase for?

When using ssh-keygen: What is the passphrase for? Why is it optional? What are the security implications of specifying (or not specifying) one? Below is an excerpt taken from a shell session (some details may have been altered): user@localhost:~$…
voices
  • 1,649
  • 7
  • 22
  • 36
30
votes
6 answers

Is it insecure to display the number of characters when users enter a new passphrase?

When users are entering a new passphrase somewhere, it's helpful to provide feedback on the number of characters received by the system. In a user experience (UX) test I just ran, my user created a passphrase in her password manager, and then…
colan
  • 409
  • 4
  • 6
30
votes
5 answers

Would turning a Diceware phrase into a sentence decrease its security?

Diceware passphrase lengths are on the rise - up to six or seven words now. The old adage that passphrases are easier to remember may be true for shorter phrases, but six truly random words can be tough to remember. On the other hand, full sentences…
mayhewluke
  • 443
  • 3
  • 6
28
votes
2 answers

Is it possible for my password to have more than one password combination?

Can my password have more than one password combination? I read up on physical combination locks (the lock you open with numbers) and I learned that a combination lock can have more than one possible combinations. Also I had my first phone, a…
Henry WH Hack v3.0
  • 2,109
  • 2
  • 23
  • 37
27
votes
4 answers

Is a passphrase-protected SSH private key susceptible to a dictionary attack?

If I have a passphrase-protected SSH private key, AND if this passphrase is sufficiently random and long (say, 20-, 30-, 40-characters long, or even more!), AND if I make this private key of mine publicly available on the Net THEN, will it be…
Harry
  • 861
  • 8
  • 12
25
votes
5 answers

What concrete parameters can I change to make my passphrase-protected private gpg key more secure

There are several questions which discuss the resistance of passphrase-protected private gpg keys against brute force attacks. It seems, this kind of discussion could go on forever. Rather than starting yet another of these endless discussions, I…
Martin Vegter
  • 1,826
  • 4
  • 27
  • 39
23
votes
3 answers

SSL Certificate - is passphrase necessary and how does apache know it?

I want to generate a Certificate Signing Request for my server and in order to do so, I first need a secure private key. When I create a private key by using openssl genrsa -des3 -out server.key 2048, I'm asked to provide a passphrase. After doing…
Matt3o12
  • 511
  • 2
  • 4
  • 10
23
votes
7 answers

Song Lyrics as passphrases

I have a question slightly similar to this question. I am familiar with the correct horse battery staple example from xkcd, yet I am leaning towards songlyrics as a passphrase, since I have a brain that remembers songlyrics very easily. Now, I am…
Baron Furzgesicht
  • 301
  • 2
  • 9
19
votes
6 answers

Is it possible to recover a lost passphrase for a private key file?

We have a set of public and private keys and certificates on the server. The problem is that while public encryption works fine, the passphrase for the .key file got lost. So, when trying to execute the following command: openssl rsa -in the.key It…
Kevin Kopf
  • 311
  • 1
  • 2
  • 8
1
2 3
8 9