Entropy of Pass-phrase vs pass-word?

[0xBEEF1337]

Delete.

[Pythous]

I think that passphrases are very useful in creating strong passwords. However, a person would have to do a couple of things to get them to the level of a strong, 20+ character password, using punctuation, capitals, numbers, and whatnot.

The main thing is that they would have to make sure that it would be easy for them to remember, but not something that people would be able to guess. If your passphrase is your favorite quote, and you also put your favorite quote on the front of your Myspace page, it reduces it's security greatly.

The other thing that you would need to do would be to make it so that brute-force, dictionary, and other attacks won't work. If you use a long enough passphrase, with enough special characters, then your password is essentially safe from brute-force and dictionary.
A good way to do this would be to leet-speakify the passphrase, but with some other random characters that aren't necessarily leet-speak- just to be on the safe side .

[tgoe]

I think passphrases are a good idea. Requiring a passphrase forces people that
tend to choose weaker passwords to choose better passwords without really
thinking about it. I'd say most passwords are upper/lower letters and numbers 6
to 10 chars long.

Code: Select all

>>> (26*2+10)**6
56800235584
>>> (26*2+10)**10
839299365868340224


Not great in theory and even worse in practice. These average passwords are
probably also really weak passphrases.

Consider this advice associated with a password creation field: "Your password
should be at least 8 characters long, contain upper and lower case letters and
some numbers. Memorize it."

A user is probably more likely to come up with something like "M0onUn1t"
instead of "8KdyP5t0lQgg". From a purely brute force perspective "M0onUn1t" may
seem reasonable at over 218 trillion combinations before you're guaranteed to
crack it.

Code: Select all

>>> (26*2+10)**8
218340105584896


...but "M0onUn1t" is equal to the two word passphrase "moon unit" with the
right dictionary. Let's take that dictionary of 40000 common words and include
l33t-sp34k variations. Say this dictionary is now maybe 65000 entries or even
80000.

Code: Select all

>>> 65000 ** 2
4225000000
>>> 80000 ** 2
6400000000


You could probably bang that out within the day on an old computer.


That same user could be asked to create a passphrase with this advice instead:
"Create a passphrase at least 8 words long. Memorize it." The user might come
up with something like "lol frank zappa named a kid moon unit"... the bare
minimum. Brute forcing a string that long would be tough:

Code: Select all

>>> 27**37 # even if you know it's just lower letters and spaces
91297581665113611259115979754590511595360241199911147L


A dictionary approach isn't much better even if you know the passphrase is
minimum length and just common words:

Code: Select all

>>> 40000 ** 8
6553600000000000000000000000000000000L


I made a lot of assumptions here but I think even small passphrases are better
than trying to enforce strong passwords.

[mRmasteRful]

Yeah that last post just alerted me of how weak my passwords may be. I remember the days when my password used to be just six numbers. Pass-phrases sound like a good idea but only if the user doesnt get into the habit of letting the computer remember the passwords for them because then they wouldnt remember what they are.

[tremor77]

part of the onus should be on the logon developer.. failed attempt blocks, captchas, password strength meters and rules) should all be standard. And let's be brutally honest about brute force and password cracking.. i think that accounts for a small fraction of the password theft... where Phishing & Loggers and other methods seem to be the primary modus operandi to get someones account, after that.. subverting the logon process altogether... cracking and brute force are... to me atleast.. a last resort option. That being said.. from the standpoint of a new user.. I think passwords are better... they can use a more complex set of characters up to 14 characters in length (refer to research as to how human brains store bits of information and why telephone numbers are 7/10 digits, bank accounts are 10 digits and so on) and muscle memory from the repetition of typing it.... I think allows people to set something like IAm2S3xy4U! and be able to memorize it.. type it quickly and efficiently..

I don't think I really had a point to this reply... I'm just typing now... hrmm..

[Draymire]

Somewhat related GPU's crack hashes

I agree that brute force/cracking passwords is not as common as a phishing site or as effective. 1 site can get several usernames and passwords, cracking gets one password per attempt.

[0xBEEF1337]

Delete.

[sanddbox]

That brings up the point of key-loggers, where it's harder to pick out a random statement than it is a cryptic looking mash of special characters.

What other vectors aren't we thinking about here? I'd like to compile the points together and evaluate them...

People would...probably...be more likely write down a passphrase (assuming it wasn't a quote or "1 2 3 4").

[tremor77]

People would...probably...be more likely write down a passphrase (assuming it wasn't a quote or "1 2 3 4").

At the very least the passphrase might be something visible from the users position. Assuming I had to make a passphrase right now I'd look around my office... where I have a tendency to save the cool fortune cookie fortunes I get when I order Chinese.. I have several taped to my monitor.. like "It is better to be happy than wise", "A day is a span of time no one is wealthy enough to waste", and "You will soon have the opportunity to improve your finances." The 3rd has not yet happened.

I do find in my workplace, as we strictly enforce a secure password policy.. 9/10 users have their password written down, many in plain site.. because.. the average user is blatantly lazy. Yellow sticky note on the monitor. My boss.. feels he is clever, his is under the keyboard.

But the written down password or passphrase only assists in on location theft. Unless you are Lord Nikon.

[0xBEEF1337]

Delete.