I won’t keep you hanging… … … much... the answer is no! If the
answer was all you needed, then thank you for visiting my blog. If you would
like to know why I say “no,” then keep reading.
Just in case you do not know what a passphrase is, it is a
password that uses words instead of gibberish. The words may or may not have
spaces in them. “thisisapassphrase” and “this is a passphrase” are both
passphrases. Do not use those two examples for your passphrases though.
The argument for passphrases is that they are easy to
remember, and if they are about 20 characters long or more, they can be far
stronger than something like “^T28dy2a$o,v” is. That is completely correct. I
am a strong proponent of passphrases.
On the NPR show
All Tech Considered, Paul Grassi, the
Senior Standards and Technology Adviser at NIST,
is quoted as saying the following concerning password managers
“… these apps are
useful because they completely randomize the password, but he says they aren't
necessary to maintain security.”
The new NIST guidelines concerning passwords and passphrases
are widely regarded as excellent by security experts. I wholeheartedly agree
with all that Paul said, except for the part about password managers, and here
are the reasons why.
1) Some
sites are not going to allow long password/passphrases. If you are limited to
15 characters or less, complexity does become far more important and password
managers help with that. This also means that you have to try to remember the
gibberish.
2a) Depending upon how many sites you have passphrases for, many
people are not going to be able to remember all of the phrases and which sites
they correspond with. This leads to 2b (for the record, “2b or not 2b” is not a
good passphrase.
2b) When people get to the point that they can’t remember
all of the passphrases and corresponding sites, they are likely to take
shortcuts that are essentially the same as incrementing passwords or using the
same passphrase at multiple sites.
Cracking passwords is not as common as obtaining passwords
from a data breach or a phishing attack. This is why password reuse is so
dangerous. This is also why incrementing passwords makes a complex 16 character
password weak. Easily recognized patters in passwords, such as “Todayis01/10/17”
make the next series of password extremely easy to guess.
If a person has 20 sites with a unique username and passphrase
to remember for each site, I believe that they are likely to do something far
more serious than incrementing. They may use a site identifier.
Write down 20 websites that require you to log into. The
next to each one write down your user name and a unique passphrase for each of
them. Just to make my point., choose the first four words of a different
sentence in this blog for each of the 20 website’s passphrases. As soon as you are done, stop looking at them. Even if your
username is the same for all of the sites, do you remember the passphrases and
corresponding sites? Most people will not. You need a way to remember all of
these. The trick that I envision some people using is site identifiers.
“Tractors swim in aquariums” is a great passphrase (at least
it was before I published this blog).
Now to make it easy to remember which site I use each
password for…
“Tractors swim in aquariums – Gmail”
Care to guess this user’s password for Facebook, LinkedIn, and
the company they work for? Websites can prevent users from including the name
of the site in a password, but users are clever that way. They’ll figure out
something as predictable. Of course if you write it down you are a bit worse
off than using a random complex password. The gibberish passwords are hard to
remember. If I see your passphrase written on a piece of paper, about a second
or two is all I need to see it and remember it.
Passphrases and passwords share an identical problem. You
can’t remember them all. Password managers address that problem. That is why password
managers are as relevant in tomorrow’s world of ubiquitous passphrases as they
are in today’s world of ubiquitous passwords.
Here is my recommendation. Use an excellent passphrase for
your corporate login and remember it. Use an excellent passphrase for your
personal computer login. Use an insanely good passphrase for your password
manager. A sentence you create that is at least 35 characters long, such as “the
purple cow danced on the cheese” is insane enough. Make sure your passphrases
are at least 20 characters long and not common sentences, and you’ll be good to
go for almost anywhere you currently use a password.
In future blogs I will give more detailed guidance on how to
make killer passphrases.
In a different blog I will discuss the passphrase token
attack and linguistic passphrase attacks. These attacks intrigue me, but I don’t
think they are anything to worry about too much at this point.
Randy Abrams - Randy Abrams - https://www.linkedin.com/in/randy-abrams-ba24391/
Independent Security Analyst (is not my passphrase)