A Passphrase Is a Terrific Tool You Can Employ, but Is It All You Need?


The year was 2011, and security professionals were fighting a losing battle. They were typing their fingers to the bone trying to convince users that creating truly strong passwords is very important. They were putting together charts and solving mathematical equations which illustrated the advantages of having a long password that contains uppercase and lowercase letters, numbers, and special characters. Despite all this, people were using '123456' to protect their accounts and were often not ashamed to admit that they're reusing a single password on multiple accounts. Then, a now-famous XKCD webcomic appeared and tried to change the public's perception a bit.

Passwords vs. Passphrases

Randall Munroe, the author, tried to tell people that instead of juggling letters, numbers, and punctuation, they should simply think of four random dictionary words and put them together. He reckoned that the resulting passphrase is far more difficult to crack than a typical word spruced up with random numbers and special characters, and he even tried to use maths to prove it.

Right now, seven years later, we can safely say that Mr. Munroe's attempt to change the users' password creation habits has more or less failed. "123456" continues to be one of the most commonly used passwords, and password reuse is still very much the norm rather than the exception. The "correcthorsebatterystaple" comic is still the subject of some heated discussions, though.

The problem that started it all

To find out why some people think that a passphrase is better than a password, we need to see what's wrong with the regular password, and we might as well clear up some confusion along the way.

Many people wrongly assume that creating a strong password is difficult. This is not the case. In fact, open a text editor, close your eyes, and mash the keys of your keyboards for a few seconds. In all likelihood, what you see when you open your eyes will be a fairly strong password that will take even a powerful computer quite a while to crack. The thing is, if it's hard to crack, it's hard to remember, and this, really, is what the problem is all about.

The passphrase supporters claim that thanks to its length, it's just as (if not more) difficult to crack than the password. At the same time, you'll struggle to find people willing to argue that remembering a string of four dictionary words is harder than remembering a string of twenty random symbols. It seems, then, that the passphrase is just the solution we need. Unfortunately, it's not as simple as that.

Using a passphrase might not be as easy as it sounds

They don't seem to be that widespread, but experts have seen tools designed specifically to brute-force passphrases. Instead of trying different combinations of symbols until they get the right password, they combine words. While it doesn't completely ruin the passphrase's strength, such a tool can take away some of the added complexity gained by using a long passphrase.

Then you have the problem with password requirements. As we mentioned already, before some people started arguing that a passphrase is better than a password, there was a very strong urge to get all people to start using various types of symbols in their passwords. As a result, websites began implementing requirements that force you to use, for example, a digit or a special character in your password. All these could make your passphrase much harder to remember which defeats its purpose to some extent. Some rules will even prevent you from using a passphrase altogether.

Service providers that store passwords insecurely will often impose an upper limit on the number of characters you can use to protect your account. As we mentioned already, the strength of a passphrase lies in its length, and if it can't be long, you're better off using a shorter but more complex password.

Speaking of length, have a look at a selection of login data that has been leaked during a breach, and chances are, you will find items that can loosely be defined as passphrases in there. The phrase "letmein", for example, is quite a common sight, and in case you haven't realized it already, although it's technically a passphrase, using it as a way of protecting your account is not a good idea. Neither is using the chorus from your favorite song or the first few words of your favorite book. Hackers know better than that.

A passphrase, like a password, must be random and unpredictable. And sadly, humans aren't very good at being random and unpredictable.

Diceware – the solution to the problem of creating passphrases

If humans are not random and unpredictable, then what is? Those of you who said "dice" get a virtual pat on the back.

Diceware is a method for creating a passphrase using yes, you guessed it, dice. It's been around for quite a while now, but the recent debate around the length and complexity of passwords has popularized it quite a bit, and we'll now show you how it works.

Naturally enough, as its popularity grew, some variations appeared. Recently, for example, experts from the Electronic Frontier Foundation (EFF) developed Diceware for twenty-sided dice. We, however, will focus on the traditional method that requires just one completely standard six-sided dice.

Before you dust off the Monopoly box, however, you need a Diceware word list. Quite a few word lists are just a Google search away, and they even come in different languages. If you don't feel like rummaging around, you can just pick this one published by the EFF in 2016.

Now take your die and roll it five times, writing down (or remembering) each digit. Put the digits together to make a number and search for that number in the word list. The word next to the number is the first word of your passphrase. After trying it out in the office, for example, we got 36426 which, in EFF's word list, corresponds to "machinist." Repeat the process to generate three or more additional words, stitch them together, and you'll end up with a very strong passphrase.

It's not exactly the quickest way of generating a passphrase, but the result is completely random which means that the extra effort is worth it. Sadly, this randomness also creates a problem.

Remembering one passphrase is easy, remembering many passphrases isn't

As we mentioned already, the passphrase's main advantage is the fact that it's easier to remember than a strong password. The problem is, in this day and age, we don't need to remember one password or passphrase. We have many accounts, and if we want to keep them safe, we mustn't protect them with the same strings of words or characters.

Tools like the Cyclonis Password Manager help you keep all your passwords and passphrases organized in an encrypted vault that only you have access to. It might not generate passphrases, but the passwords it creates can be just as long and much more complex. Best of all, you don't need to roll any dice, write down any numbers, or look up any words.

September 20, 2018

Leave a Reply