Solomonster

Save The Cheerleader, Save The World

The Great Debates: Pass Phrases vs. Passwords.

Following up on my previous post pointing you to good pwds, this is actually a decent enough "debate" on passwords vs. passphrases. the author throws around some pretty useless numbers early on, but quickly gets to the point that I thought was worthy of your attention: Passwords are often made harder to crack by adding "complexity" to them, e.g. a-z and A-Z and 0-9 and a bunch of other random characters, all mixed together. But, the way most people would implement a pass phrase is going to be all words and maybe some punctuation. Those words, as individual symbols, may be quite easy to crack, as opposed to viewing them as 30 separate symbols to brute-force your way through.

Time for an example, right?

Here is a 9-digit password:
!k1eV3r?+

And here is a 34-character passphrase:
The Force is strong with this one.

If the cracking program assumed that passwords longer than, let's say, 15 characters are likely to be sets of English words rather than a randomish password, then it could look at that pass phrase as 7 complex symbols rather than 34, and cut down the hacking time by millenia.

That's a real world mark against deciding that pass phrases are better than reasonably well-constructed passwords, isn't it? (No, I don't want to qualify my subjective opinion of what is "reasonably well-constructed", but thank you for the offer, all the same.)

Choose a better password without complicated formulas and mnemonics.

Password size does matter | InfoWorld | Column | 2006-07-21 | By Roger A. Grimes