How to Sign In
Cengage Technology & Computing Blog
cancel
Showing results for 
Search instead for 
Did you mean: 
X
DON'T Use Passphrases for Passwords
Mentor
769 Views
7 Comments

DON'T Use Passphrases for Passwords

[Reading Time - 1 minute 44 seconds]

 

When I am speaking to users about passwords, towards the end of the presentation I give my three password principles:

 

  1. Any password that can be memorized is a weak password  (This is somewhat tongue-in-cheek, but it is to remind everyone that long passwords are more important than complex passwords, and our brains simply cannot remember long passwords).
  2. Any password that is repeated is a weak password  (Stolen password digests are routinely cracked and then posted on the Internet for attackers to download and use as the starting point when they attempt to crack new passwords. One web site boasts that it has over 1.6 billion cracked passwords that can be downloaded. And because users often repeat a password on more than one site, attackers routinely use these stolen passwords to see if the password they are trying to crack has already been used before--and it very often is).
  3. We must use technology instead of our brain for managing our passwords  (Because attackers use technology to crack our passwords, we must likewise use technology to protect them. This means using a password manager to store and retrieve your passwords).

However, invariably when I finish speaking, someone will come up to me and say that they use long passphrases instead of a password. They say that these are easy to memorize, so they don't have to use a password manager. And usually these passphrases are the words to their favorite song or a famous line from a book or poem.

 

Is it safe to use a passphrase instead of a password?

No.

 

And here's the reason why.

 

Attackers know that users often use passphrases. So, in addition to using stolen passwords to see if your password matches it, they now also use huge repositories of known phrases and titles to quickly find a match and crack your password. And what are some of these repositories? Here's just a small sample:

 

  • 15,000 Useful phrases
  • Movie titles and famous movie lines
  • Song lyrics
  • Titles of over 300,000 books
  • Wikipedia article titles
  • Words from the 2016 US presidential debates
  • 250,000 Women's names

So, if you use a passphrase that includes music lyrics ("If_we_weren't_all_crazy_we_would_go_insane"), movie lines ("May_the_Force_be_with_you"), or words from a famous saying ("Abandon_all_hope_ye_who_enter_here") then your passphrase can easily be broken.

 

All passwords should be long, unique, not phrases--and stored in a password manager. And be sure to use the password manager's built-in password generator to create long and complex passwords that are different for each account.

 

Anything less is just begging for your password to be cracked. And it will be.

7 Comments
Cengage

Are there any password manager programs that are highly rated?  Do you have to pay for a good one, or are there free ones that are worthwhile?    Anything good that works across devices?

Mentor

Great question!

 

There are several good password managers.  My favorite is KeePass (https://keepass.info).  It's free and open source.  And it's been audited by European Commission's Free and Open Source Software Auditing (EU-FOSSA) project with no security issues found.  But KeePass is Windows-centric and requires the Windows .NET framework.  KeePassXC (https://keepassxc.org) is a community fork for Linux, macOS, and Windows users, and it also has Android plug-ins.  However, KeePass does not by default store your password vault online.  Whereas that's a plus for security (attackers can't get to it) it's also an inconvenience for some who want to be able to access it from any device at anytime (KeePass requires you to have a local copy, but you can put it in the cloud in your DropBox account or other repository).  Dashlane (https://www.dashlane.com) is another good one (and free, too).

 

I'd suggest looking at several and finding one that gives you good security and works with how you use your technology.

What if I use the lyrics for the Major General's song from the Pirates of Penzance?  😉

 

Seriously, though, not everybody has the ability to use a password manager.  For example, DoD employees cannot use personal software on government machines.  This leads to some rather difficult situations.  I remember a time when there was a certain system that had an issue, so the Big Dogs changed the password complexity rules.  Minimum length went from 8 to 16 characters.  The system checked for incrementation (you couldn't simply add a 1, then change it to a 2, then change it to a 3, etc., for every mandatory 60-day password change).  The system checked for repetition within the password (you couldn't just double the existing password by repeating it).  The system checked to see if the password contained anything that had been used in the past (you couldn't just rearrange words inside a passphrase).  On this particular network, it was illegal to write down passwords, but the new complexity rules drove people to write them down anyway, opening the door to attack anyway.

 

To combat this, I think we need to get cybersecurity into the so-called soft sciences, like sociology and psychology.  Maybe those who are subject matter experts in human behavior can help us crack the code on this one.  To keep the CIA triad healthily balanced, we have to have users participate.  After all, a chain is only as strong as its weakest link.

Mentor

Maybe those lyrics would indeed be tough to crack!

 

I know that not everyone can use a password manager in every setting.  However, for the overwhelming population of users a password manager is recognized by security professionals as the ONLY solution to our password conundrum in which we now find ourselves.

 

I do agree that we need to look to other disciplines to help with this issue.  Interestingly, at the just-completed Security and Human Behavior workshop at Carnegie Mellon University there were several research papers presented on this topic.  One that caught my attention was entitled, "Maybe poor Johnny really cannot encrypt – The case for a complexity theory for usable security."  Here's part of the abstract: "Psychology and neuroscience literature shows the existence of upper bounds on the human capacity for executing cognitive tasks and for information processing. These bounds are where, demonstrably, people start experiencing cognitive strain and consequently committing errors in the tasks execution. We argue that the usable security discipline should scientifically understand such bounds in order to have realistic expectations about what people can or cannot attain when coping with security tasks."

 

The URL to the article is https://www1.informatik.uni-erlangen.de/filepool//publications/zina/2015-benenson-nspw15-maybe-poor-...

@Mark_Ciampa, thank you so much for the research link!  

 

Also, thank you for the CompTIA Security+ Guide to Network Security Fundamentals.

Thanks Mark for your insight and keeping us secure!

@Sandy_Keeter, I believe we can safely say that @Mark_Ciampa is da' bomb diggety!!