Wednesday, August 16, 2017

Will Passphrases Kill the Password Managers?


I won’t keep you hanging… … … much... the answer is no! If the answer was all you needed, then thank you for visiting my blog. If you would like to know why I say “no,” then keep reading.

Just in case you do not know what a passphrase is, it is a password that uses words instead of gibberish. The words may or may not have spaces in them. “thisisapassphrase” and “this is a passphrase” are both passphrases. Do not use those two examples for your passphrases though.

The argument for passphrases is that they are easy to remember, and if they are about 20 characters long or more, they can be far stronger than something like “^T28dy2a$o,v” is. That is completely correct. I am a strong proponent of passphrases.
 
On the NPR show All Tech Considered, Paul Grassi, the Senior Standards and Technology Adviser at NIST, is quoted as saying the following concerning password managers
 
“… these apps are useful because they completely randomize the password, but he says they aren't necessary to maintain security.”
 
The new NIST guidelines concerning passwords and passphrases are widely regarded as excellent by security experts. I wholeheartedly agree with all that Paul said, except for the part about password managers, and here are the reasons why.
 

1) Some sites are not going to allow long password/passphrases. If you are limited to 15 characters or less, complexity does become far more important and password managers help with that. This also means that you have to try to remember the gibberish.

2a) Depending upon how many sites you have passphrases for, many people are not going to be able to remember all of the phrases and which sites they correspond with. This leads to 2b (for the record, “2b or not 2b” is not a good passphrase.

2b) When people get to the point that they can’t remember all of the passphrases and corresponding sites, they are likely to take shortcuts that are essentially the same as incrementing passwords or using the same passphrase at multiple sites.

Cracking passwords is not as common as obtaining passwords from a data breach or a phishing attack. This is why password reuse is so dangerous. This is also why incrementing passwords makes a complex 16 character password weak. Easily recognized patters in passwords, such as “Todayis01/10/17” make the next series of password extremely easy to guess.

If a person has 20 sites with a unique username and passphrase to remember for each site, I believe that they are likely to do something far more serious than incrementing. They may use a site identifier.

Write down 20 websites that require you to log into. The next to each one write down your user name and a unique passphrase for each of them. Just to make my point., choose the first four words of a different sentence in this blog for each of the 20 website’s passphrases. As soon as you are done, stop looking at them. Even if your username is the same for all of the sites, do you remember the passphrases and corresponding sites? Most people will not. You need a way to remember all of these. The trick that I envision some people using is site identifiers.

“Tractors swim in aquariums” is a great passphrase (at least it was before I published this blog).

Now to make it easy to remember which site I use each password for…

“Tractors swim in aquariums – Gmail”

Care to guess this user’s password for Facebook, LinkedIn, and the company they work for? Websites can prevent users from including the name of the site in a password, but users are clever that way. They’ll figure out something as predictable. Of course if you write it down you are a bit worse off than using a random complex password. The gibberish passwords are hard to remember. If I see your passphrase written on a piece of paper, about a second or two is all I need to see it and remember it.

Passphrases and passwords share an identical problem. You can’t remember them all. Password managers address that problem. That is why password managers are as relevant in tomorrow’s world of ubiquitous passphrases as they are in today’s world of ubiquitous passwords.

Here is my recommendation. Use an excellent passphrase for your corporate login and remember it. Use an excellent passphrase for your personal computer login. Use an insanely good passphrase for your password manager. A sentence you create that is at least 35 characters long, such as “the purple cow danced on the cheese” is insane enough. Make sure your passphrases are at least 20 characters long and not common sentences, and you’ll be good to go for almost anywhere you currently use a password.

In future blogs I will give more detailed guidance on how to make killer passphrases.

In a different blog I will discuss the passphrase token attack and linguistic passphrase attacks. These attacks intrigue me, but I don’t think they are anything to worry about too much at this point.

Randy Abrams

Independent Security Analyst (is not my passphrase)

No comments:

Post a Comment