www.nico.schottelius.org/blog/use-smart-passphrases-stop-enforcing-weak-and-complicated-passwords.mdwn
Nico Schottelius 21e8f258b7 +xkcd
Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>
2013-08-15 17:36:37 +02:00

109 lines
4.3 KiB
Markdown

[[!meta title="Use smart passphrases - stop enforcing weak and complicated passwords"]]
## Introduction
As a [netizen](http://en.wikipedia.org/wiki/Netizen)
you may have defined one or more passwords for several situations.
As a sysadmin you may have to setup password policies for your infrastructure.
Sometimes you will encounter the requirement to use
lower case characteres, capitalisation, numbers and special characters
or various combinations of the previous.
I urge you both to drop this behaviour **now**. This article explains
why it is more sensible to use passphrases instead of complicated
passwords.
## Passphrase vs. Passwords
A [passphrase](http://en.wikipedia.org/wiki/Passphrase) is a combination
of **words** that is used to secure access:
iamathepassphrasedefinedbydaniel
A [password](http://en.wikipedia.org/wiki/Password) on the other hand
is usually a combination of **characters**:
7z/+tt38
There are at least 4 very simple reasons to prefer passhprases over passwords:
* passphrases are easier to remember (try yourself with the previous examples)
* passphrases are more secure
* passphrases can be typed faster than passwords (and thus enhance security even more)
* passphrases are easier to type on foreign keyboards
## How secure are passphrases really?
Let's take the common constraints of passwords:
* Upper and lower case (26+26 characters)
* Number (10 characters)
* Special characters (some - depends on how you count)
* Length about 8-10 characters
Let us assume we have 128 possibilities for each character.
With 10 characters this would result in 128^10 possible passwords:
1180591620717411303424 (1.18059e+21)
Let us take a look at the possible combination of passphrases.
Passphrases are a bit more difficult to define, as it is
[not strictly defined how many words the English language knows about](http://en.wikipedia.org/wiki/English_language#Number_of_words_in_English). I will use 600000 as one of the lower numbers given in the linked article,
which gives us the following number of possibilities:
1 word = 600000
2 words = 360000000000 (3.6e+11)
3 words = 216000000000000000 (2.16e+17)
4 words = 129600000000000000000000 (1.296e+23)
5 words = 77760000000000000000000000000 (7.776e+28)
6 words = 46656000000000000000000000000000000 (4.6656e+34)
7 words = 27993600000000000000000000000000000000000 (2.79936e+40)
As you can easily see, *when you use only 4 words, your passphrase is
more secure than most passwords*. The passphrase example above counted
7 words and is still easy to remember.
## What now
Let us make the world easier.
If you are user and you have to create weak and complicated passwords
due to some policy, give the provider a link to this article so she
can understand why changing their policy is sensible.
If you are a sysadmin or provider you can change your password policy
to require 15 ore more characters, which would result in
931322574615478515625 or 1.67726e+21 possibilities - even more
than in your previous policy.
## For the geeks
I am aware of [Unicode](http://en.wikipedia.org/wiki/Unicode),
but most characters are not found on common keyboards - at least
the ones I use do not exceed 200 keys. Even if you could
enter all Unicode characters
(for instance using [ISO 14755](http://en.wikipedia.org/wiki/Unicode_input)),
it still remains questionable
[whether the application accepts all unicode characters](http://www.fileformat.info/info/unicode/char/1f3e9/index.htm).
If that wasn't enough: You can also use other languages to write
your passphrase. Learned a sentence on your last holidays?
Use it (as a base) for your passphrase.
Yes, there are some words that are more common in languages. On the
other hand, if fantasy words that only you know about are included,
the attacker is required to guess the full string, which is quite
a lot of guesses, even if she assumes all characters are lower case..
...by the way, if you consider
the example passphrase from above as a string of 32 lower case
characters,
it would give you 1901722457268488241418827816020396748021170176
or 1.90172e+45 possible passwords.
[XKCD](http://xkcd.com/936/) also has a nice cartoon describing
this solution.
[[!tag net security]]