Which is more secure a cryptic password or passphrase?
 

hi

I want to encrypt an unused partition on my hard drive. I want to know which is more secure, a cryptic password for example o/S6&1WAu}U3gEP2 or a passphrase like "The quick brown fox jumped over the fence"

The two examples above are just illustrations.

Obligatory XKCD cartoon reference...
https://xkcd.com/936/

It depends on how you are going to encrypt it. Some methods (AES 256) requires 36 bytes of key... But to have a good key requires you to use all 8 bits of the byte (most used character sets don't). What usually happens is that a "passphrase" (which may be just a cryptic password) is used to generate a 36 byte hash, which is then used for the key. The assumption being that the hash is a more random string than the passphrase (and is shorter).

I'm no expert, but pretty much all I've read indicates that length is more secure than randomness. The longer the password/passphrase, the more secure, because the time for a brute-force attack increases geometrically. A random 4-character password is far less secure than an 8-character password, unless the password is something easily guessed. You need to use something that you can remember, but isn't easily broken by a dictionary attack. A carefully chosen passphrase satisfies this requirement.

As long as no one can guess how you chose that passphrase...

The problem remains, a passphrase that is easily remembered is also easier for social engineering to recover.

Everything in life is a compromise of some sort. Remembering a 24-character random string is difficult, probably more difficult than most people can handle. But there are ways of constructing a passphrase that is both difficult to hack and easy enough to remember. One way is to use a transliteration of a phrase in a foreign language that doesn't use the Latin alphabet. Or you can change letters to numbers, use just the first letter of words, or any number of other methods. You shouldn't use something like "My dog's name is Spot", or anything easily guessable, although almost anything long enough should be fine for use on websites. Hackers and script kiddies aren't going to spend the time to guess the password themselves, they use dictionary software, and the efficiency of that decreases drastically with length of the phrase. From what I've read, length is more important than randomness. But I have no actual experience with cracking passwords.

The security of a password is based on its entropy, namely the degree of randomness it exhibits. The ability of password crackers to reveal it depends a great deal on the availability of the sort of dictionaries the crackers use, which are composed of already-cracked hashes, words in various languages, etc.

Passphrases, since they are composed of dictionary words, have a low entropy per symbol. One way to increase the entropy per symbol is to take a long but memorable phrase (song lyric, poem, anything highly memorable) and use the first letter of each word. Then encrypt the letters in a random fashion (not leet or anything systematic) and practice typing it. The combination of mental recitation as you type and the motor memory of the keystrokes will give you a password of 10 to 12 symbols that is easy to remember and difficult to crack (no dictionaries anywhere for the crackers to resort to!)

Hi everyone,

I will be using aes-xts-plain64 as the cipher.

I never use dictionary words as passwords. I use keepassX to generate my passwords.

Thanks 2 all :)