Passphrases versus Passwords & Why the Dilemma
Passwords are under increasing attack by online guessing software. We can counter this to an extent with random-generated ones. As these are hardly memorable, we resort to writing them down or keeping them on the cloud with KeePass, LastPass, etc. Passphrases may be more memorable, but there are risks attached to them too.
Passphrase Security – There Are No Shortcuts
A passphrase is a series of words cobbled together. Hence we would type “sweet molly malone” as sweetmollymalone. But there is a catch to this. The original is a published phrase. And hence in the database of cracking sites such as crackstation.net. ‘sweetmollymalone” would fall victim to an aggressive attack in a matter of seconds.
We are not linguists. The entropy of written English is outside the scope of this post. Passphrases that are less than 50 characters long are generally weak per this Wikipedia article. We can strengthen them further by using a combination of uppercase and numeric.
The passphrase we use, and its components should ideally not appear in any language database, because this makes it vulnerable to a dictionary attack. Since this is impractical, the workaround is making up our own phrase using uncommon words, and definitely not common joiner words like because, but, and, if, the, and so on.
Using acronyms can help us remember, as they may have when we crammed for exams. For example, “corker” could help us remember:
But we would still have the problem of typing this correctly, including on a smartphone on a commuter train or a bus.
Comparing Our Passphrase Dilemma with Password Options
Brute force password hacking makes them increasingly unsafe on standalone devices like mobiles and desktops. It helps a little if we copy and paste them because we do not leave a shadow of keystrokes. Of course, we should always use a protected browser before we go near banking / financial sites.
A strong password should be at least twenty, and ideally thirty characters or more. It should not cobble together dictionary words, famous names, and famous places. There should be a mix of upper, and lower cases, and characters. Like the ones we download from password-generator sites, this makes them nigh impossible to remember, and that is the rub. We have gone around in a circle and returned to copying and pasting from a secured environment.
Did a Password Management Service Just Ping?
It definitely did, although that is not necessarily a warranty, a password service is utterly reliable. Sites like KeePass and LastPass can afford a higher degree of encryption than we will ever dream of on our own devices. But, as we have mentioned so many times before on other posts, they are only as good as the people that program and support them.
- Lastpass keeps encrypted user names and passwords in client accounts. It has various levels of permissions. At the lowest, it automatically inserts these on log-in pages associated with them. There have been a number of security lapses.
- KeePass stores user names, passwords, and other data in encrypted files. It types the information into dialogues, web forms etc. when the user presses a hot key. By its own admission, Keepass is open to attacks too.
Neither of the sites we chose for illustration is totally bulletproof. The risk from hacking is higher if we use the same passphrases (or passwords) for multiple pages. They are, however, arguably more secure than standalone operating systems. We close with a reminder of the criteria for stronger passphrases.
- Not a famous quotation from scripture, famous literature etc
- Easy enough to remember and type in character-perfectly
- Sufficiently long to be hard to guess, even randomly
- Nothing even a close friend might be able to intuitively guess
- Not famous movie names, sports teams and cultural references
We very much doubt that is the last word on passwords and passphrases. We will post advisories here if there are sudden changes.