Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

["Basgen, Brian" <bbasgen () PIMA EDU>]

 There is considerable research in the subject of pass phrases through a different question: what is the entropy of 
english?  If Shannon is correct (http://languagelog.ldc.upenn.edu/myl/Shannon1950.pdf), running english text has 0.6 to 
1.3 bits of entropy per letter. Thus, if a passphrase is just english text, it would have to be very long to achieve 
reasonable strength.

 The problem with pass phrases is not famous quotes, phrases, etc. The problem is that English is extremely 
predictable. Shannon's work on this was groundbreaking in the 40s and 50s, and well worth reading. 
(http://www.amazon.com/Claude-E-Shannon-Collected-Papers/dp/0780304349/ref=sr_1_2?ie=UTF8&s=books&qid=1268879094&sr=8-2)

 What is a strong pass phrase? What is sufficiently strong authentication? For example, is 128-bit strength enough, or 
excessive?

 The sentences above make for a cumbersome password: are 80-bits more reasonable?

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven 
Alexander [alexander.s () MCCD EDU]
Sent: Wednesday, March 17, 2010 5:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password vs pass-phrase (was: Are users right in rejecting security advice?)

I think this touches on an important point, we don't have much experience or research guiding us in choosing good 
passphrases and will run into many of the same problems with passphrases that we have with passwords.  Obviously, 
famous quotes, book titles, and the like are awful choices.  But we're also going to run into problems with users 
picking phrases that are too simple and end up being subject to predictions based on language analysis.



Sentences tend to have predictable forms, like <Subject> <Verb> <Object> in English, that could lead to attacks that 
use word/phrase lists separated by their ability to serve as different components of a sentence.  In a naïve attack, 
senseless phrases like "I swim waffles" would be as likely as "I like pancakes."  Better language analysis based on 
written or spoken speech could potentially be used to produce a higher percentage of meaningful phrases.



If people actually choose passphrases like "I like football." or "My husband is boring.", then we may have have to 
require much longer passphrases than 16 or 20 characters to get the entropy we want.



I'm not suggesting that passphrases are bad, just that they are unquantified.  Without good language analysis and lots 
of real-world examples of chosen passphrases, we don't know whether people actually choose better passphrases than 
passwords or how a passphrase of length X compares to a password of length Y.



My guess is that 16-20 characters is way too short.  Passphrases need to be long and unpredictable.



Steven Alexander Jr.

Online Education Systems Manager

Merced College

3600 M Street

Merced, CA 95348-2898

(209) 384-6191

alexander.s () mccd edu



-----Original Message-----

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charles 
Buchholtz

Sent: Wednesday, March 17, 2010 4:36 PM

To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: [SECURITY] password vs pass-phrase (was: Are users right in rejecting security advice?)



On Wed, Mar 17, 2010 at 05:35:38PM -0400, Justin Azoff wrote:



> Do any sites out there actually have a 'password' policy that is simply

> 'minimum length: 16' ?



Close: we accept any passphrase 16 characters or more as long as it is

not all one type of character (lower, upper, number, punctuation).

Spaces are ignored when checking "type of character".



Passwords of 9-15 characters must in addition pass a dictionary test.

On the password change page we provide a list of randomly generated 9

character passwords that are acceptable, if people just want to pick

one of those.  A new list is generated with each page reload.



> Is there any research out there that shows that a 'complex' 8 character

> password is more secure or easier to remember than a 16 character

> passphrase?



We find that some people strongly prefer shorter passwords that pass

the dictionary test, and other people strongly prefer longer

pass-phrases made up of words.  Security is another story - for

instance, I'm pretty sure that "Alice in Wonderland" is less secure

than "TriSsmitp".



I considered doing a rough strength calculation: a three letter word

counts as 2190 (the number of three letter words in our

dictionary[1]), a four letter word counts as 7738, a letter not in a

word counts as 26, a numeral counts as 10, etc, and you multiply them

all up and that gives you a strength score.  "Alice in Wonderland"

gets 10^9 and "TriSsmitp" gets 10^12.  "My lawn is always green" gets

10^17.



Of course, that doesn't recognize that "Alice in Wonderland" is a

well-known phrase.  What I need is a phrase dictionary.  In multiple

languages, including slang.  Points should be given for switching

languages: "My lawn is always green" should score less than "My lawn

is sempre verde"



I also thought of testing pass phrases by Googling the string and

seeing how many hits it got.  Too many hits means the phrase is "too

common".  But we figured out that we'd be exposing our pass phrases on

insecure networks, and they would show up in Google's search

suggestions, etc.  BTW, 'Alice in Wonderland' = 32,300,000 matches,

'My lawn is always green' = 2,040, "My lawn is sempre verde" = 0.

"TriSsmitp" = 3.



--- Chip



Charles H. Buchholtz                    Director of Systems Programming

chip () seas upenn edu               School of Engineering and Applied Science

http://www.seas.upenn.edu/~chip           University of Pennsylvania



[1] /usr/dict words - if I were to implement this I'd use a real crack

dictionary.


This email has been scanned by a Spam/Virus Firewall. If your email has been classifed as Spam please contact the 
HelpDesk at (209) 384-6180.