Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Fascinating article on Passphrases just posted

Fascinating article on Passphrases just posted

  • Comments 11

I just ran across a totally fascinating article by Jesper Johansson about the use of passphrases instead of passwords.  I switched to using passphrases after reading Robert Hensing’s blog post from July, and I’ve not gone back.  Robert’s post recently showed up rather prominently on FullDisclosure, so Jesper’s article is rather timely (btw, Jesper’s article is the second of three, the first can be found here)

Jesper takes a far more formal look at the concept of using a passphrase instead of a password, and comes to the somewhat surprising conclusion that a passphrase isn’t necessarily more secure than a password.  They can be more secure, but according to Jesper, a 5-6 word passphrase is just about as strong as a 9 character password.

Either way, it’s a fascinating article.

 

  • "We can presume that if pass phrases become commonplace, attackers will start using “pass phrase crackers” that employ the word, instead of the symbol, as the unit."

    One could get around this by using "l33t sp34k" or by inserting random characters into their passwords. If it's allowed by the OS, you could even include Alt+xxx characters, I doubt cracking programs account for someone's password including ¼¤«²®. ;)
  • RE: Nick Lewis Post

    "I doubt cracking programs account for someone's password including ¼¤«²®"

    Actually I would hope cracking programs account for that. After trying lexical items and al-num permutations you'd have to start trying the rest of the character set...
  • LOL
    I use passwords from random number generator with 10 characters.
    But for my PGP keys I use passphrase (7 words with some punctuation).

    Something that I must note - I forgot my random passwords - even if use them regularly. As result I've to change them and forget them again.

    The only problem with passphrase - is that I forget sometimes there punctuation must be placed. But this is much easy to guess based on common sence.

    So I agree with Robert Hensing - passphrases are better. But again - they need to be used carefully. Just like "admin", "password" or " " passwords ;-)

    P.S> Up to date there is nothing invented better that physical data security. Print all your data and store in bank ;-)
  • "Actually I would hope cracking programs account for that. After trying lexical items and al-num permutations you'd have to start trying the rest of the character set..."

    Mmm, yes, but by then you've changed your password again (assuming you change it every 7 days or whatever). As they say, a password only needs to be secure enough to withstand attack for the period that it's active. This is why it's so important to force users to change their password every 7 days or 2 weeks, no matter how much they complain about it. :p
  • Yes, so they forget what the password of the week is and start writing it on stickynotes.
  • Sticky notes are bad when you can't be sure of physical security. There might be times when it isn't so bad.

    In a corporate environment, physical security doesn't seem to be quite up to the task of securing access to each and every desktop computer, especially when some of your bad guys are in effect infiltrators, coworkers who seek to defraud the company using your privileges. At home, what is the risk?

    If your sticky note goes missing, change the password and do a virus scan.

  • Larry, I dont mean to waste your time as I am not an MSDN subscriber nor an IT guru like yourself (and others on this site).
    However I did want to ask you whether you had heard of the Imation Disc Stakka device in the US and if you had an opinion on its usefulness. It is a storage device for up to 100 CD/DVD's that can be catalogued into your PC for easy storage and immediate ejection using the Stakka software on a Windows OS.
    The reason for my enquiry is that they have recently become available in Australia and I believe soon to be released in the US. I wanted to know firstly if this is a unique product and secondly if you thnik it's any good. They retail for about $100. Any thoughts greatly appreciated before I spend my hard earned on one.

    Thank you for your time.
    Joel

    jbeebe2003@yahoo.com.au
    (If you wouldnt mind replying via email as I dont usually hang out in MSDN world! :)
  • I've heard Jesper talk about this many times and have used passphrases for a long time myself. The term...
  • I've heard Jesper talk about this many times and have used passphrases for a long time myself. The term...
  • PingBack from http://mydebtconsolidator.info/story.php?id=2079

Page 1 of 1 (11 items)