Why and How to Use a Passphrase

When you create a password, what does it look like?

Is it the same password for everything, or are they all different?

Are you the person who creates the password, “aH6*v@!nx5t0” and has it written down because it’s impossible to remember, or do you have a few variations of the same password that can be memorable, yet strong enough and different enough to be just barely sufficient?

Passwords are a tricky thing. You need to make them possible to remember, but complex enough to get past botnet cracks or brute force attacks. But the problem with passwords is that there are less than 100 different characters that can be used in a single spot of a password.

Numbers: 0-9 (10)

Letters: A-Z; a-z (52)

Special characters: (32)

Total: 94 different possible characters in a password

That means if you have an 8 character password containing uppercase, lowercase, numbers, and special characters, you would have 6,095,689,385,410,816 different possible combinations. This may seem to be an impenetrable password, yet just recently a computer that was designed for this task was noted to have cracked an 8 character password in just a few hours. However, the more characters you implement, the more secure your password will become, making it take significantly longer to figure out. For instance, if you were to add a single additional character to that password, you would raise the time it takes to crack from 1 day to 2 months. The problem with this method though, is the mere practicality of it. The more characters you add, the more difficult it is to personally remember. You don’t want to have to keep rumbling through your desk trying to find that scrap piece of paper where half of the passwords written down have already been changed.

Passwords should be something memorable, yet long and secure enough to not be easily discovered. This is where passphrases really show their true potential. A passphrase is similar to a password, except that each “character” is a full word. So instead of having a single character with about 94 different options, you can create a memorable word that has over 171,000 options, being the extent of the English language. Now, it’s possible that the hacker can use passphrase token attacks and utilize a dictionary of commonly used English words that are much more compressed than this, being around 5,000 words, but even if that is the case, a 5-word passphrase is still significantly more complex to crack than an 8-character password.

94 ^8 = 6,095,689,385,410,816

5000 ^5 = 3,125,000,000,000,000,000 (Over 500 times more complex to crack)

However, by simply increasing your password to 9 characters, it does improve the complexity quite a bit (i.e. 572,994,802,228,616,704 possibilities)

As you can see, cracking a passphrase can be far more difficult than cracking a password, unless you make one of two common mistakes. The first mistake is choosing a combination of simple words with a low character count. “I am a cat,” for example contains four words, but it’s only 10 characters long and an attacker can use a conventional brute force attack, even for a passphrase. Spaces between words can be used to increase the length and complexity of passphrases but can only add small relative improvement. When all else fails, choose length over complexity.

The second most common mistake is using a common phrase as a passphrase. A compiled dictionary containing the top 1,000,000 common phrases will obviously take only that many guesses to figure out. It would be similar to a random, 3-character password, which for a moderately powerful computer would take seconds.

But a unique, uncommon passphrase can still be multiple times more powerful than a 9 character password. As far as being memorable, as long as you stick with something personally known, like an unforgettable movie character, it shouldn't be an issue. Furthermore, by adding a digit and special character to the end of a passphrase like an ‘8#’, it makes the combination nearly uncrackable by practical measure. Make the passphrase something fun by using foreign words, fictional characters, or even uniquely titled movies.

In the end, passphrases allow for longer, more secure passwords due to their relative character length and are also easier to remember which makes the management of said password much more practical. If it is necessary to standardize passwords within a company, then at least make sure the password is at least 9 upper and lowercase alphanumeric and special characters.