Nico Schottelius/ blog/ Use smart passphrases - stop enforcing weak and complicated passwords

Introduction

As a netizen you may have defined one or more passwords for several situations. As a sysadmin you may have to setup password policies for your infrastructure. Sometimes you will encounter the requirement to use lower case characteres, capitalisation, numbers and special characters or various combinations of the previous.

I urge you both to drop this behaviour now. This article explains why it is more sensible to use passphrases instead of complicated passwords.

Passphrase vs. Passwords

A passphrase is a combination of words that is used to secure access:

iamathepassphrasedefinedbydaniel

A password on the other hand is usually a combination of characters:

7z/+tt38

There are at least 4 very simple reasons to prefer passhprases over passwords:

  • passphrases are easier to remember (try yourself with the previous examples)
  • passphrases are more secure
  • passphrases can be typed faster than passwords (and thus enhance security even more)
  • passphrases are easier to type on foreign keyboards

How secure are passphrases really?

Let's take the common constraints of passwords:

  • Upper and lower case (26+26 characters)
  • Number (10 characters)
  • Special characters (some - depends on how you count)
  • Length about 8-10 characters

Let us assume we have 128 possibilities for each character. With 10 characters this would result in 12810 possible passwords:

1180591620717411303424 (1.18059e+21)

Let us take a look at the possible combination of passphrases. Passphrases are a bit more difficult to define, as it is not strictly defined how many words the English language knows about. I will use 600000 as one of the lower numbers given in the linked article, which gives us the following number of possibilities:

1 word  = 600000
2 words = 360000000000                              (3.6e+11)
3 words = 216000000000000000                        (2.16e+17)
4 words = 129600000000000000000000                  (1.296e+23)
5 words = 77760000000000000000000000000             (7.776e+28)
6 words = 46656000000000000000000000000000000       (4.6656e+34)
7 words = 27993600000000000000000000000000000000000 (2.79936e+40)

As you can easily see, when you use only 4 words, your passphrase is more secure than most passwords. The passphrase example above counted 7 words and is still easy to remember.

What now

Let us make the world easier.

If you are user and you have to create weak and complicated passwords due to some policy, give the provider a link to this article so she can understand why changing their policy is sensible.

If you are a sysadmin or provider you can change your password policy to require 15 ore more characters, which would result in 931322574615478515625 or 1.67726e+21 possibilities - even more than in your previous policy.

For the geeks

I am aware of Unicode, but most characters are not found on common keyboards - at least the ones I use do not exceed 200 keys. Even if you could enter all Unicode characters (for instance using ISO 14755), it still remains questionable whether the application accepts all unicode characters.

If that wasn't enough: You can also use other languages to write your passphrase. Learned a sentence on your last holidays? Use it (as a base) for your passphrase.

Yes, there are some words that are more common in languages. On the other hand, if fantasy words that only you know about are included, the attacker is required to guess the full string, which is quite a lot of guesses, even if she assumes all characters are lower case..

...by the way, if you consider the example passphrase from above as a string of 32 lower case characters, it would give you 1901722457268488241418827816020396748021170176 or 1.90172e+45 possible passwords.

XKCD also has a nice cartoon describing this solution.