Passphrases

Answer to this frequently asked question.

The recommended value is 1000. Continue reading if you are concerned about the security or connection performance.

Security concerns

Each character of the newly generated passphrase is randomly picked from 90 different characters. That means, passphrase of length 1 has 90 posibilities in total, passphrase of length 2 has $90^2$ possibilities...

Generally, passphrase of length $n$ has $90^n$ different possibilities. That means, passphrase of length 1000 has approximately around $1.7$ multiplied by 2000th power of $10$ of possibilities.

According to this article, such password would take more than 1900 times the age of the universe to bruteforce. Taking this into account, it is more probable that some plugin with backdoors will steal the passphrase, than the passphrase getting bruteforced randomly.

Passphrase guidelines:

• Passphrases shorter than 50 characters are considered weak. If using such passphrase, the plugin will display a warning each time the server starts.

• Never share it with anyone else.

• Regenerate it once in a while, just in case.

• Use the built-in generator only - avoid any internet communication.

Data payload

Each character is 1B of data (assuming ASCII character set), so passphrase of length 1000 is equal to 1kB of data transfered between the proxy and backend servers.