Please vote on a preferred password format

[UppaJung]

Password formats don't matter much when they're automatically being copied and pasted, but they may matter more if you need to type them or want to write them down by hand. We are considering two possible formats:

(1) 15-Icing-gifts-henna-dodgy-dudes-harsh-snub-waltz-plot-penny-chunk-crane-drum-treat-catty
(2) 15_Icing_Gifts_Henna_Dodgy_Dudes_Harsh_Snub_Waltz_Plot_Penny_Chunk_Crane_Drum_Treat_Catty

Format (1) should be easier to type, because there's only one uppercase character requiring the use of the shift key and the dash character (-) also does not require the shift key.

Format (2) may be easier to read, as the underline leaves a larger blank rectangle between the words and the capital letters also highlight where one word starts and the other ends.

Please vote for your preference by up-voting one of the two comments below by clicking on the smile emoji at the top right of your preferred option.

[UppaJung]

15-Icing-gifts-henna-dodgy-dudes-harsh-snub-waltz-plot-penny-chunk-crane-drum-treat-catty

[UppaJung]

15_Icing_Gifts_Henna_Dodgy_Dudes_Harsh_Snub_Waltz_Plot_Penny_Chunk_Crane_Drum_Treat_Catty

[yeliaBdE]

Or, exploring the remaining permutations of capitalization and delimiter characters:

(3) 15-icing-gifts-henna-dodgy-dudes-harsh-snub-waltz-plot-penny-chunk-crane-drum-treat-catty (4) 15_icing_gifts_henna_dodgy_dudes_harsh_snub_waltz_plot_penny_chunk_crane_drum_treat_catty

I don't know if there's any requirement for capitalization, but given your "easier to type" argument in favor of format (1), why not just eliminate capitalization entirely?

For ease of typing, I'd go with format (3) over format (1), but it's close, and I'd be fine with either, honestly...

[fruiz500]

I vote for case-insensitive, dashes rather than underscores. Consider an option to allow delimiters such as commas, periods, etc. Lose the "15" prefix, which adds nothing.

Reason: the easier to type and remember, the better. You don't want users scratching their heads over whether words should be capitalized or they used the correct delimiter.

Why do some of the sample words contain only 4 letters? I thought all words were meant to contain 5 letters. If you want to expand the dictionary beyond 1024 words, then consider a much expanded one (10,000 words or so). Each word will contain more entropy, so the codes will end up being shorter.

[cpsagovac]

15-Icing-gifts-henna-dodgy-dudes-harsh-snub-waltz-plot-penny-chunk-crane-drum-treat-catty

[dragon788]

Sadly some (stupid) websites require 1 each of UPPER, lower, numeric, and special characters, so having an uppercase in there is good. Not all sites are compatible with special characters though, which is one using DiceKeys primarily as a master password is good, and then letting other password managers deal with the insane number of incompatible requirements and keeping their own allowed/incompatible lists for sites.

[1cyberwarrior]

I strongly suggest using the one with Underscores and not dashes. Who uses dashes anymore ?

[MichaelKing1832]

I see benefits to both - the externally imposed popular "password complexity" requirement, as well as the "convenience" factor of not having to touch the shift key during entry. Not everyone trusts their clipboard for copy and paste, especially with them now automatically retaining history and replication to the cloud. That is most definitely not a desireable side-effect, making manually typing a passphrase something that one will be doing without a browser extension, and that's not in the problem space for DiceKeys to address.

if I had to pick, I'd go for the numeric prefix, an initial capital letter and the dash for the punctuation character.

I would like to see the numeric prefix used as an index for key derivation to help in identifying and mapping which derived passphrase goes with which application/purpose.

[p0lt]

why cant it just be a radio button that you select what format you want it to spit out the results in.. make it flexible.. turn this on if ya want turn this off if ya don't etc...

[cpsagovac]

or perhaps something more configurable than a radio button. Knowing that a DiceKeys passphrase has one or two canonical formats reduces the size of the passphrase space, and that nicely-described "externally imposed popular 'password complexity' requirement" may not be satisfied by either format, e.g. "must have at least two special characters" or "no character can be repeated more than twice".

[djlambert]

I don't have preference either way, and as already pointed out there's uses cases for both. Something configurable would be great.

[UppaJung]

Even if we make it configurable, the default will be very important.

I'm curious as to the situations in which you all envision yourself typing these passwords, rather than having them either sent directly to the app that needs them (if the API or a browser extension allows) or via copy and paste.

[cpsagovac]

Concur the default will be important. I would avoid typing a password for the usual reasons: mistakes + keyloggers. Best to utilize a secure API or browser extension v. clipboard, if possible.

[jeff3f]

Also there should always be a raw data shown so I could always just copy that into my own passkey generator app