Password Security: Are Passphrases More Secure Than Passwords?.

The BYOD / Consumerization of IT trend means changes for the mobile workspace.  But, some things will stay the same for a while.  Like the need for mobile security tools such as AlertBoot, or the use of passwords.  Could the latter be improved upon?  For example, by using a passphrase?

The usual rules for creating a strong password are:

  • Use a mix of characters (upper and lower case letters, numbers, and special characters)

  • Make it as long as possible

  • Make it as random as possible — no words found in dictionaries, for example

The use of a passphrase means that you can easily use a mix of characters (at least upper and lower case when separating words, as in ThisIsMyPassphrase) and easily make it long.  A password like iiSNsin3@3NS9SniSnglen (22 characters) is hard to memorize; a phrase such as ItWasTheBestOfTimesItWasTheWorstOfTimes (39 characters) is not.

Dickens, Tolstoy, London, Baum

The problem with passphrases is that people tend to pick something that’s popular (“How Charles Dickens Helped Crack Your LinkedIn Password“) and easy to remember as a passphrase:

Young wrote a program that draws passphrase strings from books such as Tale of Two Cities, War and Peace, The Call of the Wild and The Land of Oz. The program takes words from those books and creates phrases and concatenations such as “lionsandtigersandbears” and “ihavebeenchangedforgood.” Both generated hits in the LinkedIn hashes.

For the passage “Tip was made to carry wood from the forest” — from The Land of Oz — Young’s program will try the hash for “Tip,” then “Tipwas,” then “Tipwasmade” and “Tipwasmadeto” and on. The program could also be configured to add numbers, symbols in further attempts to match a hash.

The use of popular phrases is, from a password hacking point of view, no different from using dictionary words: these are readily available in electronic form.  The protection afforded is nominal.  Well, truth be told, it’s more than nominal.  But as computers get more powerful simple, straightforward passphrases will lose their advantage over passwords.

It Helps If You’re Bilingual and Touch-Type

I realize that this is not a solution for everyone, but I know of some people who take advantage of their fluency in two languages to create something of a “perfect” password.

For example, first, they think of a phrase in Korean.  The Korean language has a unique script / writing system, and computer keyboards reflect this.  Then, they touch-type the phrase using a “normal” English / Western keyboard.  So, “my name is Sang” ends up as wpdlfmadmstkddlqslek, an easily reproducible password.

Granted, this doesn’t quite work if, say, you’re bilingual in German and English: the keyboard spaces are virtually identical.  But, you could still use your linguistic fluency to create a pretty secure passphrase.  For example:

  • IchBinEinBerliner2IAmABerlinerAKAJellyDonut

  • IchBinEinJellyDonutSaidJFKNotReallyItsAnUrbanLegend

Of course, having published the above in cyberspace, you should not take the above as passphrases: they’ve probably ended up on some rainbow table somewhere.

A caveat on these passwords: what I pointed out about weak security when using passphrases “as is” is still true in the above bilinguo-passphrases.  Always take the effort to sprinkle in some special characters in odd places (that means somewhere other than where you would enter a space)

I’ve tried the above method, and it seems to work pretty well when creating a password for my laptop encryption.  The only problem presents itself when trying to use such a password on a device that gives you a virtual keyboard that you can’t quite touch-type.

Related Articles and Sites:

Comments (0)

Let us know what you think