Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

[Steven Alexander <alexander.s () MCCD EDU>]

I think this touches on an important point, we don't have much experience or research guiding us in choosing good 
passphrases and will run into many of the same problems with passphrases that we have with passwords.  Obviously, 
famous quotes, book titles, and the like are awful choices.  But we're also going to run into problems with users 
picking phrases that are too simple and end up being subject to predictions based on language analysis.

Sentences tend to have predictable forms, like <Subject> <Verb> <Object> in English, that could lead to attacks that 
use word/phrase lists separated by their ability to serve as different components of a sentence.  In a naïve attack, 
senseless phrases like "I swim waffles" would be as likely as "I like pancakes."  Better language analysis based on 
written or spoken speech could potentially be used to produce a higher percentage of meaningful phrases.

If people actually choose passphrases like "I like football." or "My husband is boring.", then we may have have to 
require much longer passphrases than 16 or 20 characters to get the entropy we want.

I'm not suggesting that passphrases are bad, just that they are unquantified.  Without good language analysis and lots 
of real-world examples of chosen passphrases, we don't know whether people actually choose better passphrases than 
passwords or how a passphrase of length X compares to a password of length Y.

My guess is that 16-20 characters is way too short.  Passphrases need to be long and unpredictable.

Steven Alexander Jr.
Online Education Systems Manager
Merced College
3600 M Street
Merced, CA 95348-2898
(209) 384-6191
alexander.s () mccd edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charles 
Buchholtz
Sent: Wednesday, March 17, 2010 4:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] password vs pass-phrase (was: Are users right in rejecting security advice?)

On Wed, Mar 17, 2010 at 05:35:38PM -0400, Justin Azoff wrote:

> Do any sites out there actually have a 'password' policy that is simply
> 'minimum length: 16' ?

Close: we accept any passphrase 16 characters or more as long as it is
not all one type of character (lower, upper, number, punctuation).
Spaces are ignored when checking "type of character".

Passwords of 9-15 characters must in addition pass a dictionary test.
On the password change page we provide a list of randomly generated 9
character passwords that are acceptable, if people just want to pick
one of those.  A new list is generated with each page reload.

> Is there any research out there that shows that a 'complex' 8 character
> password is more secure or easier to remember than a 16 character
> passphrase?

We find that some people strongly prefer shorter passwords that pass
the dictionary test, and other people strongly prefer longer
pass-phrases made up of words.  Security is another story - for
instance, I'm pretty sure that "Alice in Wonderland" is less secure
than "TriSsmitp".

I considered doing a rough strength calculation: a three letter word
counts as 2190 (the number of three letter words in our
dictionary[1]), a four letter word counts as 7738, a letter not in a
word counts as 26, a numeral counts as 10, etc, and you multiply them
all up and that gives you a strength score.  "Alice in Wonderland"
gets 10^9 and "TriSsmitp" gets 10^12.  "My lawn is always green" gets
10^17.

Of course, that doesn't recognize that "Alice in Wonderland" is a
well-known phrase.  What I need is a phrase dictionary.  In multiple
languages, including slang.  Points should be given for switching
languages: "My lawn is always green" should score less than "My lawn
is sempre verde"

I also thought of testing pass phrases by Googling the string and
seeing how many hits it got.  Too many hits means the phrase is "too
common".  But we figured out that we'd be exposing our pass phrases on
insecure networks, and they would show up in Google's search
suggestions, etc.  BTW, 'Alice in Wonderland' = 32,300,000 matches,
'My lawn is always green' = 2,040, "My lawn is sempre verde" = 0.
"TriSsmitp" = 3.

--- Chip

Charles H. Buchholtz                    Director of Systems Programming
chip () seas upenn edu               School of Engineering and Applied Science
http://www.seas.upenn.edu/~chip           University of Pennsylvania

[1] /usr/dict words - if I were to implement this I'd use a real crack
dictionary.

This email has been scanned by a Spam/Virus Firewall. If your email has been classifed as Spam please contact the 
HelpDesk at (209) 384-6180.