Educause Security Discussion mailing list archives
Re: password vs pass-phrase (was: Are users right in rejecting security advice?)
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Wed, 17 Mar 2010 17:08:29 -0700
I think this touches on an important point, we don't have much experience or research guiding us in choosing good passphrases and will run into many of the same problems with passphrases that we have with passwords. Obviously, famous quotes, book titles, and the like are awful choices. But we're also going to run into problems with users picking phrases that are too simple and end up being subject to predictions based on language analysis. Sentences tend to have predictable forms, like <Subject> <Verb> <Object> in English, that could lead to attacks that use word/phrase lists separated by their ability to serve as different components of a sentence. In a naïve attack, senseless phrases like "I swim waffles" would be as likely as "I like pancakes." Better language analysis based on written or spoken speech could potentially be used to produce a higher percentage of meaningful phrases. If people actually choose passphrases like "I like football." or "My husband is boring.", then we may have have to require much longer passphrases than 16 or 20 characters to get the entropy we want. I'm not suggesting that passphrases are bad, just that they are unquantified. Without good language analysis and lots of real-world examples of chosen passphrases, we don't know whether people actually choose better passphrases than passwords or how a passphrase of length X compares to a password of length Y. My guess is that 16-20 characters is way too short. Passphrases need to be long and unpredictable. Steven Alexander Jr. Online Education Systems Manager Merced College 3600 M Street Merced, CA 95348-2898 (209) 384-6191 alexander.s () mccd edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charles Buchholtz Sent: Wednesday, March 17, 2010 4:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] password vs pass-phrase (was: Are users right in rejecting security advice?) On Wed, Mar 17, 2010 at 05:35:38PM -0400, Justin Azoff wrote:
Do any sites out there actually have a 'password' policy that is simply 'minimum length: 16' ?
Close: we accept any passphrase 16 characters or more as long as it is not all one type of character (lower, upper, number, punctuation). Spaces are ignored when checking "type of character". Passwords of 9-15 characters must in addition pass a dictionary test. On the password change page we provide a list of randomly generated 9 character passwords that are acceptable, if people just want to pick one of those. A new list is generated with each page reload.
Is there any research out there that shows that a 'complex' 8 character password is more secure or easier to remember than a 16 character passphrase?
We find that some people strongly prefer shorter passwords that pass the dictionary test, and other people strongly prefer longer pass-phrases made up of words. Security is another story - for instance, I'm pretty sure that "Alice in Wonderland" is less secure than "TriSsmitp". I considered doing a rough strength calculation: a three letter word counts as 2190 (the number of three letter words in our dictionary[1]), a four letter word counts as 7738, a letter not in a word counts as 26, a numeral counts as 10, etc, and you multiply them all up and that gives you a strength score. "Alice in Wonderland" gets 10^9 and "TriSsmitp" gets 10^12. "My lawn is always green" gets 10^17. Of course, that doesn't recognize that "Alice in Wonderland" is a well-known phrase. What I need is a phrase dictionary. In multiple languages, including slang. Points should be given for switching languages: "My lawn is always green" should score less than "My lawn is sempre verde" I also thought of testing pass phrases by Googling the string and seeing how many hits it got. Too many hits means the phrase is "too common". But we figured out that we'd be exposing our pass phrases on insecure networks, and they would show up in Google's search suggestions, etc. BTW, 'Alice in Wonderland' = 32,300,000 matches, 'My lawn is always green' = 2,040, "My lawn is sempre verde" = 0. "TriSsmitp" = 3. --- Chip Charles H. Buchholtz Director of Systems Programming chip () seas upenn edu School of Engineering and Applied Science http://www.seas.upenn.edu/~chip University of Pennsylvania [1] /usr/dict words - if I were to implement this I'd use a real crack dictionary. This email has been scanned by a Spam/Virus Firewall. If your email has been classifed as Spam please contact the HelpDesk at (209) 384-6180.
Current thread:
- password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 17)
- <Possible follow-ups>
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Allison Dolan (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Zach Jansen (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Valdis Kletnieks (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Roger Safian (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 18)