Passphrases


The Blog of Tom Webster

  2016-01-05 01:13:00 PST

Passwords are so last year

Passphrases are the new hotness. Who cares about upper case, lower case, symbols, and numbers? Not me.

Caveats:

  • This isn't a panacea
  • It will not stop all the evils of the world
  • If the site you use stores your credentials in plain text, you're as good as done
  • Dictionary attacks happen
  • This is just some brute-force math that shows length is more important than artificial complexity
  • Phrase-Dictionary attacks do happen
    • DO NOT use a Bible verse or song lyric
    • DO NOT use a sports team
    • DO NOT use a famous quote
    • You must be only slightly creative and make a slightly original sentence

Time to crack is based on a massive cracking array that runs one hundred trillion guesses per second. (Thanks to GRCs password haystacks page for the calculations)

Take this password, typical, classical: tha2uy2Ieti+

  • Length: 12 characters
  • Categories: lower-case, upper-case, numbers, symbols
  • Time to crack: 1.74 centuries

And this one, a bit longer: ae3chav3Ho{cik6g

  • Length: 16 characters
  • Categories: lower-case, upper-case, numbers, symbols
  • Time to crack: 1.41 hundred million centuries

Let's get crazy: pahzoon2uCh9phoS'iSeeBa

  • Length: 23 characters
  • Categories: lower-case, upper-case, numbers, symbols
  • Time to crack: 9.88 billion trillion centuries

And this passphrase: unlock syntax for tailspin

  • Length: 26 characters
  • Categories: lower-case
  • Time to crack: 35.64 billion trillion centuries

And this passphrase, but two words longer: unlock syntax for massive director tailspin

  • Length: 43 characters
  • Categories: lower-case
  • Time to crack: 45.34 thousand trillion trillion trillion trillion centuries

The evidence is clear, the four-word passphrase is not only easier to remember, but it's even more secure than the 23-character all-random password. Let's keep this in mind when choosing a new root passphrase.

Storing the passphrase

You should be using a password manager by now. Also, if you're storing the passphrases securely, why not make a 64-character random password for everything? Use a nice passphrase as your master password.