Re: password vs passphrase

From: Laura E. Hunter \(MVP\) (hunter(nospamplease)_at_sfs.upenn.edu)
Date: 07/08/04 

Date: Thu, 8 Jul 2004 10:58:57 -0400

Mark Minasi had an interesting take on this at the Security Roadshow this
spring. I'll do my best to paraphrase: (Forgive me if I miss a niggling
detail or three - I think the full slide deck is up on www.minasi.com.)

A 15+ character passphrase has some good things going for it. Even if an
attacker's machine could attempt thousands of passwords every minute, it
would take something like 600 NONILLION years to cycle through all possible
15-letter passphrase combinations, even if the letters are all in
lower-case. Which gives you a legitimate possibility of eliminating account
lockout policies that 90% of the time serve no other purpose than to annoy
your users. :-)

It's also easier for your users to remember a long PHRASE than somehow
expecting them to come up with an 11-letter WORD and intersperse it with % ^
@ $ ! characters or whatever. Compare the following:

Password: Ant!d!se$s+abli$hm3n+ar!an!$m.

Passphrase: igreatlyenjoyrivetswithmymorningpancakes

Which one is better? A user is going to have to THINK about typing in the
former. Probably every single time they have do it. Which will lead to
mis-typing and account lockouts and other annoyances. Whereas the latter is
really easy to remember, since it's -English.-

The drawback to a passphrase is that some down-level systems won't support
them - they're stuck in the LM-Hash compatibility world and can't handle
anything longer than 14 characters. So it's something that you need to test
before you mandate it across the board. 

-- 
******************************
Laura E. Hunter - MCSE, MCT, MVP
Replies to newsgroup only
"Susan" <anonymous@discussions.microsoft.com> wrote in message 
news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
> Option 1: passphase -> 15 or more character phrase
> Option 2: password -> 12 to 14 characters (upper & lower
> case, numbers and symbols)
>
> Which is more secure? Which is hard to hack?

Relevant Pages

  • RE: ADS Password Storage Protection
    ... reason many organizations recommend a complex password but only up to 8 ... characters long is because many unix systems don't support a password ... complex for dictionary attack and other similar reasons. ... not want the passphrase to appear in, I would exclude a popular book of ...
    (Security-Basics)
  • Re: ALERT: WPA isnt necessarily secure
    ... WPA-PSK is vulnerable to offline attack. ... USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. ... USE MORE THAN 32 CHARACTERS. ...
    (alt.internet.wireless)
  • RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
    ... the cracker best know that it is a passphrase versus a password ... characters which will take a while or use some fairly large tables. ... through the policy. ... this legacy support really hurts MS'es attempts to get more secure. ...
    (Full-Disclosure)
  • Re: password vs passphrase
    ... > A 15+ character passphrase has some good things going for it. ... > lockout policies that 90% of the time serve no other purpose than to annoy ... spend a couple hundred bucks for a smart card system ...
    (microsoft.public.win2000.security)
  • Re: Pb w/ text i/p to ssh-keygen on openSUSE
    ... for saving the key - but hits a pb after the "Enter passphrase (empty ... even knowing the number of characters compromises security too much. ... Knowing the number of characters is a security hole, indeed, and knowing ...
    (uk.comp.os.linux)