Password Vs. Passphrase

Discussion in 'Serious Discussion' started by cdavisdeco, Jul 21, 2020.

?

Password Vs. Passphrase

  1. Password

    4 vote(s)
    66.7%
  2. Passphrase

    2 vote(s)
    33.3%
  1. cdavisdeco

    cdavisdeco MDL Senior Member

    Jul 8, 2015
    281
    57
    10
    I think you all know the guidelines for a strong password.
    • Must be at least 8 characters or more.
    • Use a combination of upper and lower case letters, numbers, and special characters.
    • Avoid using words found in the dictionary.
    So on...

    It should look like a series of random characters, not a sentence. Also, substituting look-alike characters for letters or numbers is no longer sufficient. In simple, the advice is to increase the length and complexity.

    A passphrase is a collection of common words combined together randomly into a phrase.

    Security experts advise using passphrases instead of passwords because they're far easier to remember than conventional passwords yet far harder for hackers to crack.

    Let's compare these two in an example.

    Password: Xy9n4h&w]Lo>FIbT2Vk[u3R/JmZS

    • Length: 28 - PASS
    • Complexity - PASS
    Upper Case Letters ✔
    Lower Case Letters ✔
    Numbers ✔
    Special Characters ✔​
    • Vulnerability to dictionary attack - PASS
    • Usability: Hard to Remember - FAIL

    Passphrase: correct horse battery staple

    • Length: 28 - PASS
    • Complexity - FAIL
    Upper Case Letters X
    Lower Case Letters ✔
    Numbers X
    Special Characters X​
    • Vulnerability to dictionary attack - FAIL
    • Usability: Easy to Remember - PASS

    The password has all the things a strong password should have. It's totally random. But one could hardly remember it.
    On the other hand, the passphrase is easy to remember. But it's full of words that can be found in a dictionary.

    So being easy to remember is the only reason to use a passphrase instead of a password. Should we compromise security for usability? I don't think so.
    And as experts say, if passphrases are harder for hackers to crack, why isn't everyone using them? Why don't websites prompt us to use them instead of passwords?

    Password Vs. Passphrase. What's your opinion on this? Let's discuss.
     
  2. eVYGI7

    eVYGI7 MDL Novice

    Mar 20, 2019
    23
    7
    0
    MDL/members/evygi7.1241135/

    • Length: 27 - PASS
    • Complexity - PASS
    • Upper Case Letters ✔
    • Lower Case Letters ✔
    • Numbers ✔
    • Special Characters ✔
    • Vulnerability to dictionary attack - PASS
    • Usability: Hard to Remember - PASS
     
  3. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,157
    12,685
    340
    #3 Yen, Jul 22, 2020
    Last edited: Jul 22, 2020
    The major difference of passphrase and password is that a secure passphrase has far more characters. (More than hundred, takes a long time to type in).

    That's the reason why a passphrase is not suitable for logins into accounts. It is suitable to encrypt or sign messages also electrum for instance uses it to 'recover' a bitcoin account ("seed").

    It is suitable there where you have to remember it a long time and where you have to use it only a few times...or as a last resort authentication.
    The security does not only increase by length it also does by structure of sentence.
    (2 nouns, adjectives and locations plus verb and adverb >= 92bit entropy)

    Also to use a rare language or even to use self-created words ( i.e. leetspeak) can increase security.

    You can make use of both by a combination..for instance the PW I use to share stuff here is.
    I1am2free3@mdl

    The strength of a PW should be related to the potential harm.
    This one is easily to remember, already strong, but it's just a zip PW to make sure only MDL people can unpack it.


    And contrary to previous recommendations one should use one PW all the time and not change after a period of time again and again.

    And a second factor is far more secure than one very strong PW which is hard to remember.

    Another way to create a random PW is to remind a special pattern on the keyboard.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cdavisdeco

    cdavisdeco MDL Senior Member

    Jul 8, 2015
    281
    57
    10
    #4 cdavisdeco, Jul 22, 2020
    Last edited: Jul 24, 2020
    (OP)
    Isn't that too much? Even that example I posted from the famous XKCD comic, which has 28 characters, would take 15 Octillion years to be cracked according to an online checker.

    How can I calculate the entropy?

    That's true. And that brings up another question to me. Authenticator App Vs. Text Message.
    They say the first one is more secure since hackers can get the text message via SIM swapping.
    But what happens with the authenticator app when your phone dies or lost?

    By the way, thanks for your input on the subject. :)
     
  5. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,890
    4,486
    150
    https://appdevelopermagazine.com/Dangers-of-quantum-hacking/

    You're also forgetting things like yubikey etc you don't actually need to use an app for 2fa!
     
  6. cdavisdeco

    cdavisdeco MDL Senior Member

    Jul 8, 2015
    281
    57
    10
    #6 cdavisdeco, Jul 24, 2020
    Last edited: Jul 24, 2020
    (OP)
  7. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,157
    12,685
    340
    #7 Yen, Jul 24, 2020
    Last edited: Jul 24, 2020
    Well you can do it by approximation. It of course depends on language (the dictionary) also complexity of the grammar of language.
    To make a proper approximation you firstly have to define how many characters has the particular language at all.
    Then it depends on grammar and terms like locations such as cities used or unique terms used (finally for a dictionary attack you need a reference dictionary). For a brute force attack you only need to define the amount of different characters for each digit to calculate. And of course the amount of digits, the length of the phrase.

    The easiest form of an attack defines the maximum entropy it can have.

    I got the info from here (only partly translated to English, though) https://www.spoc-web.com/english/security-training/passphrases/

    2FA is usually associated to an 2FA app. But it literally means to use a second independent authentication, a second factor, additionally.

    At anything money related I use a login with name and password as first factor and a SMS PIN which expires as the second factor. No app.

    Even if both systems should be compromised hacker A gets the PW and username (first factor) and hacker B the SMS (second factor). Now there is a limited time to get both together, which is only 10 minutes until the second factor expires. That is impossible, you are safe anyway and can change anything in time. It is impossible that one hacker can monitor both (your current network IP for an attack due to malware AND your corresponding SIM ID with full access to the SMS PIN).

    For anything else I use the mentioned combination of 'parts' and I actually use Sanskrit language. I never forgot such a phrase, but sometimes I miss the specific way I used for reconstruction and I need a few attempts to get logged in again. :)

    The amount of 'parts' I use I decide dependent on where I log in. Here at MDL I have more than 20 characters easily to remember.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...