As long as you generate your passphrases properly (i.e. making sure they still have high entropy and donāt fall into the same pitfalls I listed, in case someone still decides to brute force your password as a passphrase), you can have a very secure passphrase. However, as far as sheer entropy goes, passwords have more entropy in a more compact space and are better in that respect.
P.S. Some applications have a character limit, meaning youāll get more entropy out of a password than a passphrase. You might accidentally get weak entropy in a passphrase because of the character limit.
The reality is the password guesser has a string of 29 characters.
Actually, not even that. It would be hashed as a fixed length (256 bits usually).
Again, most of what I was saying was just for the sake of an example to show that under the right circumstances the length of a password doesnāt dictate its security. Even if itās an extreme, security is only as strong as its weakest link. Iām not denying that it can be unrealistic, and Iām not saying itās insecure (hence the āgrain of saltā section that addressed all of your points), Iām just showing how it could be possible.
they donāt even know theyāre trying to guess words in the first place.
That is true, but the math is still the same regardless.
Suppose you had a word list of 1,000 five letter words. Each of your passphrases is 5 words long. That means you have 1,000^5 possible combinations of passwords, which is an entropy of ~49.8 bits. Even though each passphrase is going to be 29 characters long (5 five letter words plus 4 spaces in between), the password wasnāt generated character by character.
By contrast, suppose you used all 95 characters on the (US) keyboard, an 8 character password has 95^8 combinations, which is an entropy of ~52.6 bits. Even though the passphrase has 21 more characters than the password, the password still has more entropy.
Big grain of salt here: You can get a huge word list and remember much longer passphrases easily, but the point is to show that the number of characters doesnāt dictate the security of a password. If someone were to brute force a passphrase character-by-character, it would hold up very well, but a) Not many people use passphrases and b) Itās far more common to use password dictionaries than to brute force.
P.S. If someone found your word list, they could probabilistically brute force your passwords. For example, if 75% of your five letter words started with the letter S, they could deduce that most of the words likely start with S, and theyāve already eliminated a few characters to brute force.
That is a really interesting method! Thanks for sharing, Iāve learned something new. A way to solve the stakeholders unlocking it would be to also require the adminās own credentials plus 2 (or however many) stakeholder credentials to unlock it. However, that could cause stakeholders to target the admin.
While this may not be what youāre looking for, itās worth mentioning that a good olā pencil and paper does wonders. It wonāt have everything you need, but you can time how long you ran for with a stopwatch, count how many pushups you do, manually measure your pulse, etc. If youāre good with data processing you can stick the data in a spreadsheet and process it to see your progress. The bonus is youāll learn a lot more about health through doing it yourself. Besides that, Iāve never used a smart watch or fitness tracker. Iāve just exercised until I get tired.
Most passwords can be converted to passphrases to help you remember them. A password ā8pmfvt3bww7tā could be remembered as ā8 pandas might find vases that 3 bears will wash 7 times.ā Obviously not all passwords will work for this, but itās a good way to remember random strings. Passphrases are long in characters but have an entropy dependent on how long your wordlist is. For example, 3 words might be 20 characters, but itās easy to guess 3 words since youāre not going character by character.
If you completely lose your password to your vault there is nothing you can do, simple as that. Donāt lose it.
Unfortunately, as mentioned in the post, there are some ways to lose access to your password that are out of your control. Furthermore, the more places you store your password the less secure it is. It would be a lot easier to be able to authenticate with multiple authentication methods individually, than to rely on having access to all of them at once. Thatās the problem Iām trying to address here.
Cloud-based sync is incredibly easy with self-hosted cloud, as pointed out by the KeePassXC FAQ. Self-hosted cloud is effectively a local solution.
It is still subject to the issues listed in the 3-2-1 rule, however the goal of self hosting itself conflicts with that rule (since the rule dictates the use of off-site cloud storage). I will note, it does somewhat solve the issue of keeping database backups, as any device pulling from the local cloud server effectively becomes a backup of your database.