Password Security & MemPhrase

Understanding Password Strength & Entropy

A strong password is one that is difficult for humans or computers to guess. The strength of a password is often measured in entropy, which is expressed in "bits." The higher the entropy, the more unpredictable and secure your password is.

Entropy considers two main factors:

• Length: Longer passwords have significantly more entropy. Each additional character increases the number of possible combinations exponentially.
• Character Set Size: This is the pool of unique characters used to create the password. A password using lowercase letters (26 options), uppercase letters (26), numbers (10), and symbols (e.g., ~28-32 common ones) has a much larger character set than one using only lowercase letters.

For example, a password of length L using a character pool of size N has an entropy of L * log₂(N) bits. MemPhrase calculates and displays this value to help you gauge the generated password's theoretical strength based on the options you select.

How MemPhrase Generates Passwords

1. Word-based (Memorable Passphrases)

This mode focuses on creating passphrases that are easier for humans to remember while still maintaining good strength. It works by:

• Selecting a specified number of words from chosen categories (e.g., adjectives, nouns, verbs). The diversity and size of the word lists in these categories contribute to entropy.
• Optionally capitalizing each word (adds 1 bit of entropy per word if chosen).
• Joining words with a chosen separator character.
• Optionally adding a specified number of random digits (0-9) and symbols (from a customizable set). Each digit adds log₂(10) bits, and each symbol adds log₂(SymbolSetSize) bits.
• The position and grouping of these numbers and symbols can also be configured.

The goal is to balance memorability with cryptographic strength. Longer passphrases with more words and added random elements are stronger.

2. Random Characters (Strong Passwords)

This mode generates passwords that are typically harder to remember but can achieve very high entropy for their length. It works by:

• Creating a character pool based on your selections: lowercase letters (a-z), uppercase letters (A-Z), numbers (0-9), and symbols (from a default set of ~28 or your customized set).
• Randomly selecting characters from this pool to construct a password of your desired length (between 8 and 128 characters).

The strength of these passwords directly depends on the length and the size of the character pool used. For instance, including all character types creates a larger pool (e.g., 26+26+10+28 = 90 characters) than using only lowercase and numbers (26+10 = 36 characters).

General Password Security Tips

• Use Strong, Unique Passwords for Each Account: This is crucial. If one account is compromised, unique passwords prevent attackers from accessing your other accounts.
• Length Matters Most: After ensuring a good mix of character types, increasing length provides the biggest boost to security.
• Enable Two-Factor/Multi-Factor Authentication (2FA/MFA): This adds a critical second layer of security beyond just your password.
• Avoid Obvious Information: Don't use names, birthdays, pet names, or common dictionary words as standalone passwords.
• Be Wary of Phishing: Never enter your password on a site you reached via a suspicious link. Always verify the website's address (URL).
• Keep Software Updated: Regular updates for your OS, browser, and applications often include security patches.
• Consider Passkeys When Available: Passkeys are a newer, more secure alternative to passwords that use cryptographic key pairs. They are resistant to phishing and don't require you to remember complex strings. Look for options to use passkeys on websites and apps that support them for the best security.

Using Password Managers

Given the need for long, unique, and complex passwords for every account, using a password manager is highly recommended. These tools securely generate and store your passwords, so you only need to remember one master password (make it a very strong one!).

Popular Password Managers:

Below are some well-regarded password managers. We encourage you to research them to find one that fits your needs:

• Bitwarden (Open source, widely recommended)
• 1Password (Personally recommended)
• Dashlane
• LastPass
• Keeper

Disclaimer: The listing of these password managers is for informational purposes only and does not constitute an endorsement by MemPhrase. Please conduct your own research before choosing any security product.