Password or Passphrase? Which is the right choice?
A passphrase is a group of words used to grant access to an environment (be it a computer system, or a clubhouse) or to decipher some encoded data.
Passphrases are used extensively in cryptography. A slightly anarchistic, but nonetheless relevant, example of this being Pretty Good Privacy (PGP). With his middle finger pointed squarely at the government, Phil Zimmerman released PGP to the world, a data encryption/decryption system based on public key cryptography. The core user-reliant component being the use of a passphrase to make sure that your private key is securely stored on your computer.
Sigmund N. Porter is regularly credited with the invention of the passphrase in 1982. However, depending on the context, you would be forgiven if you believed this honour should be given to Giovan Battista Bellaso, the creator of the Vigenère cipher in 1553.
Passphrases are better than passwords! So, now that we're starting from an unbiased position, let's examine the facts.
The two are indeed similar in their usage. However, it's the difference in their length and how they are created that sets them apart.
Passwords are generally short, eight characters give or take a few. Passphrases on the other hand are much longer, anywhere from 20 to over 100 characters. Straight away this rules out most brute-force attacks, unless you've got time to see the end of time (or at least human civilisation!).
The next difference is the ease of remembering. Unfortunately most people believe that a strong password is one that is a random mish-mash of letters, numbers, and symbols. These can be near impossible to commit to memory, so then the person writes the password on a note somewhere *facepalm*. Worse, many people think a secure password is a simple word followed by a number and symbol. If they're really tricky it may be a password written in shudder.
Our ability to recall phrases however is an entirely different story. Without going into the psychology, I don't know about you but I'll forget "*K4j1s_8#M" long before I ever forget "Helpful Panda Cuddled The Monkey Scrotum For 1 Dollar!" (I'd probably type it faster too!).
Also, if passphrases are generated properly - say, by using our app ;) - then they will render dictionary attacks useless as well.
So, it's time to ditch the outdated password and join the rest of us in the 21st century using the passphrase.
You were warned, this section contains some math ... but hey, it comes in handy when you're trying to prove a point.
Let's take a typical password with a length of eight characters. Assume we were good and selected from the entire alphabet, both lower case (26 choices) and upper case (26 choices), all the numbers (10 choices), and common symbols (34 choices). This gives us a total of 96 choices for each character in the password.
So, the total number of combinations that a brute force attack would have to check is 96^8. If we could check one billion combinations a second, which is not too difficult for an ordinary desktop computer, the time it would take to be broken is
96^8 / 1,000,000,000 / 3,600 / 24 = 83.5 days
This may sound like a long time, but we've been overly generous with the character space, stingy with the computer power, and very harsh on the choice of attack... Notice how work and school always force you to change your password every 90 days? ;)
Now, let's look at a simple passphrase of just 5 words. And let's pick our passphrase from a dictionary with a meagre size of 10,000. That means a dictionary attack would have to check 10,000^5 combinations. This gives us
10,000^5 / 1,000,000,000 / 3,600 / 24 / 365 = 3170 years
Considering this app has a dictionary of roughly 40,000 for English words alone, as well as including upper case characters, spaces, numbers, and symbols, this result quickly becomes unmanageable to measure in billions of years.
Some general best practices to try and keep in mind for passphrase usage:
Don't write you passphrase in a book or on a scrap of paper somewhere.
If you still think you'll have trouble remembering, use a secure password store! Granted, you'll need to remember the master passphrase to get into it, but one is easier to remember than several!
Make sure you and you alone know your passphrase.
It should be long enough that it is hard to guess (by a computer and a human), but short enough that it is easy to remember.
Don't reuse passphrases! Just because yours is long and hard to guess doesn't mean computer programmers don't make mistakes. Your passphrase may be compromised by the service you're using it for. Best keep a separate passphrase for every service!
Stay away from common phrases and famous quotes.
What, you still want more?
Then you can't go passed old faithful ...
http://en.wikipedia.org/wiki/Passphrase
But why should you believe us? Because Microsoft says so!
http://blogs.technet.com/b/robert_hensing/archive/2004/07/28/199610.aspx
For those of us who prefer the movie over the book (don't worry, it's more of a trailer at 3 mins):
https://www.youtube.com/watch?v=9ldmEbakPXk
And because there's humour in everything:
http://xkcd.com/936/
For the conspiracy theorists who don't trust technology (I don't know how you made it this far), grab some dice and visit
http://world.std.com/~reinhold/diceware.html
Do you want GnuPG (the GNU version of PGP): https://www.gnupg.org, for the Windows version: http://www.gpg4win.org. As at writing this, PGP has been acquired by Symantec. They sell PGP desktop software now, but the protocol is the same as GnuPG.
Last but not least, a shameless plug for our app :D
http://www.zeityer.com/apps.html#passphrasegen