+passwords
Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>
This commit is contained in:
Nico Schottelius
parent
217492fc85
commit
596dc20192
1 changed files with 106 additions and 0 deletions
|
|
@ -0,0 +1,106 @@
|
|||
[[!meta title="Use smart passphrases - stop enforcing weak and complicated passwords"]]
|
||||
|
||||
## Introduction
|
||||
|
||||
As a [netizen](http://en.wikipedia.org/wiki/Netizen)
|
||||
you may have defined one or more passwords for several situations.
|
||||
As a sysadmin you may have to setup password policies for your infrastructure.
|
||||
Sometimes you will encounter the requirement to use
|
||||
lower case characteres, capitalisation, numbers and special characters
|
||||
or various combinations of the previous.
|
||||
|
||||
I urge you both to drop this behaviour **now**. This article explains
|
||||
why it is more sensible to use passphrases instead of complicated
|
||||
passwords.
|
||||
|
||||
## Passphrase vs. Passwords
|
||||
|
||||
A [passphrase](http://en.wikipedia.org/wiki/Passphrase) is a combination
|
||||
of **words** that is used to secure access:
|
||||
|
||||
iamathepassphrasedefinedbydaniel
|
||||
|
||||
A [password](http://en.wikipedia.org/wiki/Password) on the other hand
|
||||
is usually a combination of **characters**:
|
||||
|
||||
7z/+tt38
|
||||
|
||||
There are X very simple reasons to prefer passhprases over passwords:
|
||||
|
||||
* passphrases are easier to remember (try yourself with the previous examples)
|
||||
* passphrases are more secure
|
||||
* passphrases can be typed faster than passwords and thus enhance security even more
|
||||
* passphrases are easier to type on foreign keyboards
|
||||
|
||||
## How secure are passphrases really?
|
||||
|
||||
Let's take the common constraints of passwords:
|
||||
|
||||
* Upper and lower case (26+26 characters)
|
||||
* Number (10 characters)
|
||||
* Special characters (some - depends on how you count)
|
||||
* Length about 8-10 characters
|
||||
|
||||
Let us assume we have 128 possibilities for each character.
|
||||
With 10 characters this would result in 128^10 possible passwords:
|
||||
|
||||
1180591620717411303424 (1.18059e+21)
|
||||
|
||||
|
||||
Let us take a look at the possible combination of passphrases.
|
||||
Passphrases are a bit more difficult to define, as it is
|
||||
[not strictly defined how many words the English language knows about](http://en.wikipedia.org/wiki/English_language#Number_of_words_in_English). I will use 600000 as one of the lower numbers given in the linked article,
|
||||
which gives us the following number of possibilities:
|
||||
|
||||
|
||||
1 word = 600000
|
||||
2 words = 360000000000 (3.6e+11)
|
||||
3 words = 216000000000000000 (2.16e+17)
|
||||
4 words = 129600000000000000000000 (1.296e+23)
|
||||
5 words = 77760000000000000000000000000 (7.776e+28)
|
||||
6 words = 46656000000000000000000000000000000 (4.6656e+34)
|
||||
7 words = 27993600000000000000000000000000000000000 (2.79936e+40)
|
||||
|
||||
As you can easily see, *when you use only 4 words, your passphrase is
|
||||
more secure than most passwords*. The passphrase example above counted
|
||||
7 words and is still easy to remember.
|
||||
|
||||
## What now
|
||||
|
||||
Let us make the world easier.
|
||||
|
||||
If you are user and you have to create weak and complicated passwords
|
||||
due to some policy, give the provider a link to this article so she
|
||||
can understand why changing their policy is sensible.
|
||||
|
||||
If you are a sysadmin or provider you can change your password policy
|
||||
to require 15 ore more characters, which would result in
|
||||
931322574615478515625 or 1.67726e+21 possibilities - even more
|
||||
than in your previous policy.
|
||||
|
||||
## For the geeks
|
||||
|
||||
I am aware of [Unicode](http://en.wikipedia.org/wiki/Unicode),
|
||||
but most characters are not found on common keyboards - at least
|
||||
the ones I use do not exceed 200 keys. Even if you could
|
||||
enter all Unicode characters
|
||||
(for instance using [ISO 14755](http://en.wikipedia.org/wiki/Unicode_input)),
|
||||
it still remains questionable
|
||||
[whether the application accepts all unicode characters](http://www.fileformat.info/info/unicode/char/1f3e9/index.htm).
|
||||
|
||||
If that wasn't enough: You can also use other languages to write
|
||||
your passphrase. Learned a sentence on your last holidays?
|
||||
Use it (as a base) for your passphrase.
|
||||
|
||||
Yes, there are some words that are more common in languages. On the
|
||||
other hand, if fantasy words that only you know about are included,
|
||||
the attacker is required to guess the full string, which is quite
|
||||
a lot of guesses, even if she assumes all characters are lower case..
|
||||
|
||||
...by the way, if you consider
|
||||
the example passphrase from above as a string of 32 lower case
|
||||
characters,
|
||||
it would give you 1901722457268488241418827816020396748021170176
|
||||
or 1.90172e+45 possible passwords.
|
||||
|
||||
[[!tag net security]]
|
||||
Loading…
Reference in a new issue