Bob Yexley turned me on to passphrases a few years ago when he linked to what became a seminal article on the topic by Robert Hensing. The argument is that passphrases — random words strung together to form a phrase, e.g., monkey stars hatchback questioning — are both more secure and easier to remember than what are traditionally considered strong passwords (e.g., m?6t2E#A9fkd). The main source of their strength is that they’re much longer than a password, which exponentially increases the number of possible permutations, and therefore exponentially increases the time/effort required to crack it. And because you’re dealing with regular words instead of a random mix of common and uncommon characters, they’re much easier to type and remember.
When I read that article it made complete sense, and for a long time I used passphrases extensively, but over the years I developed a few nagging doubts about them, and so I recently started doing some research and realized that it’s not quite as simple as I originally thought.
Problems with Passphrases
It’s not enough to just choose a phrase like this is fun, as one popular article suggests. Troy Hunt has written a post pointing out many of the inaccuracies and flawed assumptions that Baekdal’s article is based on:
“Mathematically, ‘this is fun’ is equivalent to ‘01234 56789’ in terms of randomness in an alphanumeric plus spaces password scheme.”
Jesper Johansson’s series of articles on pass phrases contains a calculation that shows you’d have to double the length of “this is fun” in order to achieve the same entropy as a truly random 9-character password.
“[Using] 1.3 as the entropy estimate computes to 29*1.3= 37.7, which is actually worse than the 9-character password. Based on that number, you would need a 6-word pass phrase to attain roughly the same entropy as a 9-character password.”
To really create a strong passphrase, you need to use enough of the following rules to achieve the desired level of entropy, which at current standards is a minimum of 72 bits. That’s assuming that everything in the phrase is truly random, though. In reality there are things that can lower the strength that the entropy calculators can’t or don’t take into effect, like if the phrase contains your partner’s name, or if it’s a common password. Some calculators will give “password” almost 30 bits, which is obviously not accurate. I’d say you want to get at least 100 bits.
- Choose at least 4 words.
- Don’t use any short words.
- Choose the words randomly and place them in a random order. (Don’t form a proper sentence).
- Don’t use song lyrics, quotes or anything else that’s been published.
- Use upper and lower case.
- Include numbers and symbols.
- Use spaces between some words, but not between others.
- Use character substitution (e.g., [email protected]).
- Intentionally misspell words.
You can use something like John Walker’s pass phrase generator to start with a random selection of words, and then apply the other rules until you have something that looks like sootTHORNS shirker2*5jealous. It may take a week or two of regular use to commit to memory, but it’s definitely doable.
You should never reuse a password, though, so memorizing 100 phases with high entropy would be almost as hard as memorizing traditional passwords. But that’s where password managers come in.
Password managers like 1Password and KeePass store all of your passwords in an encrypted database, and then let you retrieve them by using a single master password. This gives you the ability to have extremely strong passwords without having to memorize them. So now all you need to do is create 2 or 3 strong passphrases (e.g., sootTHORNS shirker2*5jealous) for things like your operating system account and the password manager’s master password, and then create obnoxiously complex passwords (e.g., [email protected]:QUf3;B/AMaL9m,fd23kSDFj) for everything else. You can then keep a note in your safe deposit box with the passphrases you have to remember in case you ever forget them.
The managers come with built-in generators to create strong passwords, and can also automatically fill out login forms on websites (either natively or with plugins). The database is much more secure than the kind used by web browsers and FTP clients (which are routinely cracked), and you can share it across multiple devices with the built-in tools or via a service like Dropbox.
The biggest criticism of password managers is that they create a single point of failure, which is true, but nothing is ever 100% secure. As long as you create a strong master password, the risk of the database being compromised is much lower than other attack vectors. The most common problem you’ll run into with creating truly strong passwords is that some websites won’t let you. A lot of websites, even some that store extremely sensitive information, actually put restrictions on how long a password can be, or what types of characters can be used. It’s absurdly idiotic, but the only thing you can do in that case is create the strongest possible password within their limitations — and then complain, of course ;).
Post-Script: Two-factor Authentication
As great as 100+ bit passwords and password-managers are, they’re still vulnerable to some attack vectors. Highly sensitive systems — like your credit union’s website, your PayPal account, or the SSH and CMS logins for your website — should require two-factor authentication. Two-factor authentication requires two different types of credential in order to be authenticated: your password (“something you know”) and a random, temporary token generated by a device in your physical possession (“something you have”, like a smartcard or RSA dongle).
This makes it much harder for attackers to gain direct access to your systems, because now they have to steal the card in addition to cracking your password, which is highly impractical for the vast majority of attacks. There are still ways for them to indirectly gain access, though.
Google Authenticator is a popular two-factor implementation that is easy to integrate with SSH and with WordPress. Unfortunately, it’s a weak implementation that relies on smartphones as the physical key. Since a smartphone is really just another computer connected to the Internet, attackers can hack the smartphone remotely after they crack the password.