Recently online security has been widely discussed. Global surveillance disclosures that were made several years ago by whistle-blower Edward Snowden, made people think about how secured are information that they place on various e mail and social network accounts online. Although global surveillance disclosures didn’t deal with passwords, the whole surveillance hype was very useful in raising awareness on the importance of password security and confidentiality. During the last 20 years, people have made up passwords that are easy to guess by using encrypting programs and hard to remember by users themselves. There are much more secure ways to keep sensitive information than ordinary passwords, and using passphrases is one of them. They represent human chosen phrases that can be used for protecting vital data in various software, servers and private accounts.
How to Choose Passphrases
There are several methods on how people can choose these. Some of the common characteristics each good passphrase should have are:
- It should be long enough;
- It shouldn’t be a quote ;
- It should be hard to guess by using intuition;
- It should be easy to remember and simple to spell;
- It might contain some additional encoding, made by the user;
- One passphrase should be used only on one website, program or social network account.
On the other hand there are also some characteristics that are commonly associated with bad ones:
- It was already shown to the public
- It is too long or too hard to type or spell
- It is some popular quotation, excerpt from a movie dialog, song lyrics etc.
Passphrases can be chosen in many different ways and Diceware is by far the most popular one. Each word should be chosen by rolling dices five times and the digits that comes out creates a five-digit number, which is the being looked up in the Diceware word list. Now it is easy to find lists in several languages and the English Diceware words list contains 7,776 of unique words.
By adding acronyms from another phrase, passphrases can be made more complicated. If we for example take the popular M&M commercial slogan (which is not advisable, but we use it for an example only) “Melts in Your Mouth, Not in Your Hand” and the one used by State of Texas Department of Transportation “Don’t Mess With Texas” as our passphrase and turn the first slogan into acronym we’ll get “MIYMNIYH”. Than we should replace some of the words in the second slogan with an acronym of the first one, and our passphrase will be “Don’t Mess With MIYMNIYH”.
Passphrases vs Passwords
Typical password contains 6 to 10 characters and it is widely used as a security measure. Problem with passwords is that they are usually easy to crack, especially when using appropriate software for this purpose. Good thing on the other hand is that they are easy to remember, but that is also potentially dangerous, because words that are easy to remember can also be easy to guess. That’s why simple passwords are not used for standalone security systems.
Passphrases on the other hand are much longer and therefore harder to crack. If chosen with the above written method they can’t be found in any quote or phrase dictionaries which means they are immune to dictionary attacks. They can also have structures that can enable easier memorizing, by using methods such as memory palace (method of Ioci). Passphrases that are only 2 words long contain at least 10-20 bit higher security than human chosen passwords.
The bottom line is that in time when we store mass amounts of our personal information on different web sites, servers and programs, the use of some more complex protection system is almost necessary. It doesn’t need to be passphrases, but simple human chosen passwords are simply not secure enough.