diff --git a/blog/use-smart-passphrases-stop-enforcing-weak-and-complicated-passwords.mdwn b/blog/use-smart-passphrases-stop-enforcing-weak-and-complicated-passwords.mdwn new file mode 100644 index 00000000..c956e21e --- /dev/null +++ b/blog/use-smart-passphrases-stop-enforcing-weak-and-complicated-passwords.mdwn @@ -0,0 +1,106 @@ +[[!meta title="Use smart passphrases - stop enforcing weak and complicated passwords"]] + +## Introduction + +As a [netizen](http://en.wikipedia.org/wiki/Netizen) +you may have defined one or more passwords for several situations. +As a sysadmin you may have to setup password policies for your infrastructure. +Sometimes you will encounter the requirement to use +lower case characteres, capitalisation, numbers and special characters +or various combinations of the previous. + +I urge you both to drop this behaviour **now**. This article explains +why it is more sensible to use passphrases instead of complicated +passwords. + +## Passphrase vs. Passwords + +A [passphrase](http://en.wikipedia.org/wiki/Passphrase) is a combination +of **words** that is used to secure access: + + iamathepassphrasedefinedbydaniel + +A [password](http://en.wikipedia.org/wiki/Password) on the other hand +is usually a combination of **characters**: + + 7z/+tt38 + +There are X very simple reasons to prefer passhprases over passwords: + + * passphrases are easier to remember (try yourself with the previous examples) + * passphrases are more secure + * passphrases can be typed faster than passwords and thus enhance security even more + * passphrases are easier to type on foreign keyboards + +## How secure are passphrases really? + +Let's take the common constraints of passwords: + + * Upper and lower case (26+26 characters) + * Number (10 characters) + * Special characters (some - depends on how you count) + * Length about 8-10 characters + +Let us assume we have 128 possibilities for each character. +With 10 characters this would result in 128^10 possible passwords: + + 1180591620717411303424 (1.18059e+21) + + +Let us take a look at the possible combination of passphrases. +Passphrases are a bit more difficult to define, as it is +[not strictly defined how many words the English language knows about](http://en.wikipedia.org/wiki/English_language#Number_of_words_in_English). I will use 600000 as one of the lower numbers given in the linked article, +which gives us the following number of possibilities: + + + 1 word = 600000 + 2 words = 360000000000 (3.6e+11) + 3 words = 216000000000000000 (2.16e+17) + 4 words = 129600000000000000000000 (1.296e+23) + 5 words = 77760000000000000000000000000 (7.776e+28) + 6 words = 46656000000000000000000000000000000 (4.6656e+34) + 7 words = 27993600000000000000000000000000000000000 (2.79936e+40) + +As you can easily see, *when you use only 4 words, your passphrase is +more secure than most passwords*. The passphrase example above counted +7 words and is still easy to remember. + +## What now + +Let us make the world easier. + +If you are user and you have to create weak and complicated passwords +due to some policy, give the provider a link to this article so she +can understand why changing their policy is sensible. + +If you are a sysadmin or provider you can change your password policy +to require 15 ore more characters, which would result in +931322574615478515625 or 1.67726e+21 possibilities - even more +than in your previous policy. + +## For the geeks + +I am aware of [Unicode](http://en.wikipedia.org/wiki/Unicode), +but most characters are not found on common keyboards - at least +the ones I use do not exceed 200 keys. Even if you could +enter all Unicode characters +(for instance using [ISO 14755](http://en.wikipedia.org/wiki/Unicode_input)), +it still remains questionable +[whether the application accepts all unicode characters](http://www.fileformat.info/info/unicode/char/1f3e9/index.htm). + +If that wasn't enough: You can also use other languages to write +your passphrase. Learned a sentence on your last holidays? +Use it (as a base) for your passphrase. + +Yes, there are some words that are more common in languages. On the +other hand, if fantasy words that only you know about are included, +the attacker is required to guess the full string, which is quite +a lot of guesses, even if she assumes all characters are lower case.. + +...by the way, if you consider +the example passphrase from above as a string of 32 lower case +characters, +it would give you 1901722457268488241418827816020396748021170176 +or 1.90172e+45 possible passwords. + +[[!tag net security]]