110 lines
4.3 KiB
Markdown
110 lines
4.3 KiB
Markdown
[[!meta title="Use smart passphrases - stop enforcing weak and complicated passwords"]]
|
|
|
|
## Introduction
|
|
|
|
As a [netizen](http://en.wikipedia.org/wiki/Netizen)
|
|
you may have defined one or more passwords for several situations.
|
|
As a sysadmin you may have to setup password policies for your infrastructure.
|
|
Sometimes you will encounter the requirement to use
|
|
lower case characteres, capitalisation, numbers and special characters
|
|
or various combinations of the previous.
|
|
|
|
I urge you both to drop this behaviour **now**. This article explains
|
|
why it is more sensible to use passphrases instead of complicated
|
|
passwords.
|
|
|
|
## Passphrase vs. Passwords
|
|
|
|
A [passphrase](http://en.wikipedia.org/wiki/Passphrase) is a combination
|
|
of **words** that is used to secure access:
|
|
|
|
iamathepassphrasedefinedbydaniel
|
|
|
|
A [password](http://en.wikipedia.org/wiki/Password) on the other hand
|
|
is usually a combination of **characters**:
|
|
|
|
7z/+tt38
|
|
|
|
There are at least 4 very simple reasons to prefer passhprases over passwords:
|
|
|
|
* passphrases are easier to remember (try yourself with the previous examples)
|
|
* passphrases are more secure
|
|
* passphrases can be typed faster than passwords (and thus enhance security even more)
|
|
* passphrases are easier to type on foreign keyboards
|
|
|
|
## How secure are passphrases really?
|
|
|
|
Let's take the common constraints of passwords:
|
|
|
|
* Upper and lower case (26+26 characters)
|
|
* Number (10 characters)
|
|
* Special characters (some - depends on how you count)
|
|
* Length about 8-10 characters
|
|
|
|
Let us assume we have 128 possibilities for each character.
|
|
With 10 characters this would result in 128^10 possible passwords:
|
|
|
|
1180591620717411303424 (1.18059e+21)
|
|
|
|
|
|
Let us take a look at the possible combination of passphrases.
|
|
Passphrases are a bit more difficult to define, as it is
|
|
[not strictly defined how many words the English language knows about](http://en.wikipedia.org/wiki/English_language#Number_of_words_in_English). I will use 600000 as one of the lower numbers given in the linked article,
|
|
which gives us the following number of possibilities:
|
|
|
|
|
|
1 word = 600000
|
|
2 words = 360000000000 (3.6e+11)
|
|
3 words = 216000000000000000 (2.16e+17)
|
|
4 words = 129600000000000000000000 (1.296e+23)
|
|
5 words = 77760000000000000000000000000 (7.776e+28)
|
|
6 words = 46656000000000000000000000000000000 (4.6656e+34)
|
|
7 words = 27993600000000000000000000000000000000000 (2.79936e+40)
|
|
|
|
As you can easily see, *when you use only 4 words, your passphrase is
|
|
more secure than most passwords*. The passphrase example above counted
|
|
7 words and is still easy to remember.
|
|
|
|
## What now
|
|
|
|
Let us make the world easier.
|
|
|
|
If you are user and you have to create weak and complicated passwords
|
|
due to some policy, give the provider a link to this article so she
|
|
can understand why changing their policy is sensible.
|
|
|
|
If you are a sysadmin or provider you can change your password policy
|
|
to require 15 ore more characters, which would result in
|
|
931322574615478515625 or 1.67726e+21 possibilities - even more
|
|
than in your previous policy.
|
|
|
|
## For the geeks
|
|
|
|
I am aware of [Unicode](http://en.wikipedia.org/wiki/Unicode),
|
|
but most characters are not found on common keyboards - at least
|
|
the ones I use do not exceed 200 keys. Even if you could
|
|
enter all Unicode characters
|
|
(for instance using [ISO 14755](http://en.wikipedia.org/wiki/Unicode_input)),
|
|
it still remains questionable
|
|
[whether the application accepts all unicode characters](http://www.fileformat.info/info/unicode/char/1f3e9/index.htm).
|
|
|
|
If that wasn't enough: You can also use other languages to write
|
|
your passphrase. Learned a sentence on your last holidays?
|
|
Use it (as a base) for your passphrase.
|
|
|
|
Yes, there are some words that are more common in languages. On the
|
|
other hand, if fantasy words that only you know about are included,
|
|
the attacker is required to guess the full string, which is quite
|
|
a lot of guesses, even if she assumes all characters are lower case..
|
|
|
|
...by the way, if you consider
|
|
the example passphrase from above as a string of 32 lower case
|
|
characters,
|
|
it would give you 1901722457268488241418827816020396748021170176
|
|
or 1.90172e+45 possible passwords.
|
|
|
|
[XKCD](http://xkcd.com/936/) also has a nice cartoon describing
|
|
this solution.
|
|
|
|
[[!tag net security]]
|