Passphrases
Office of Information Security

Post

Why Transition to a Passphrase?

Strong passwords are an essential aspect of account security. Unfortunately, complexity requirements often lead to confusing, hard to type, and hard to remember passwords, which in turn lead users to circumvent other, important controls. Industry leaders have analyzed 100’s of millions of accounts and concluded that the practices of the past (forcing complexity, password expiration, hints, questions, etc.) have led to bad user experience and, therefore, bad behavior.

As a result, cybersecurity experts and organizations are recommending the use of passphrases (four or more random words, a phrase, or a sentence) to combat these challenges. Passphrases present a win-win situation in that they are much easier to remember and type, but are harder to crack because they are, by nature, longer.

For example, passphrases such as Lawyer Beast Scissors Alert (four random words) and Fifth grade water balloon fight! (personally meaningful) are easier to remember and type than something like !a$5_Yx2. That said, not all passphrases are created equal so you need to make sure you follow basic Passphrase Best Practices to minimize risk.

Passphrase Strength

The strength of a memorized secret (PIN, password, or passphrase) increases exponentially with its length rather than its complexity. The highly complex password !a$5_Yx2 is generated from a common standard that requires a minimum length of 8 from a set of 93 characters. That means there are 93^8 (5,595,818,096,650,400) possible password combinations. Although that’s a lot of possibilities, the computational power, and hacking tools available today can crack that password without much trouble.

Consider the following evolution of a complex password into a less complex yet stronger, more meaningful passphrase. Make sure to note the relationships between complexity (available characters per set) and length. For purposes of comparison, !a$5_Yx2 from above will be used as the measurement standard.

Let’s say you start with ilovestudents for your initial passphrase.

Action Passphrase Strength Relative to !a$5_Yx2
Pick something meaningful. ilovestudents 26^13 443 times stronger.
Make it more specific to increase its length. ilovetohelpstudents 26^19 1.36971E+11 times stronger.
Add capitals for emphasis and increase complexity. ILovetoHelpStudents 52^19 7.18125E+16 times stronger.
Swapping a number for a word adds complexity but shortens the length. ILove2HelpStudents 62^18 3.27482E+16 times stronger but less than half the previous passphrase.
Add punctuation for emphasis to increase complexity and length. ILove2HelpStudents! 93^19 4.50104E+21 times stronger.
Use normal sentence structure to make it more natural to type and to increase its length. I Love 2 Help Students! 93^23 3.36701E+29 times stronger.

If you are following basic Best Practices, a passphrase like I Love 2 Help Students! is so strong that it would take eons to crack.