Replacing Passwords with Passphrases?

November 1st, 2006

Came across an interesting article which argues the case for replacing passwords with passphrases. So instead of authenticating into websites with passwords such as qwerty or password123, we may authenticate using a passphrase such as "This is my very secret password" or "Ooh Ah, Cantona".

Jeff Atwood says:

"Passwords are fundamentally broken because they aren’t compatible with normal human behavior… We have to encourage users to stop thinking of passwords as single words, and start thinking of them as pass phrases. The worst imaginable pass phrase (eg, "this is my secret password") is many times more secure than an average single word password (eg, "god123"). And it’s easier to remember."

I certainly think it’s an interesting idea. Especially as many users choose simple passwords for fear of forgetting it; a sentence may better relate to a certain blog or website. For example, someone may choose "This site is way too blue" as their passphrase on this blog; which is a ton easier to remember and to link to this site.

Passphrases would be a lot harder for an automated script to crack. Assuming 70 different characters can be used in a password (26 uppercase letters, 26 lowercase letters, 10 digits and some punctuation), an 8 letter password would have something like 70^8 combinations. An 8 word passphrase could have something like 500000^8 combinations.

There are some flaws in the arguments - sentences obey certain rules and since many people will probably use sentences as their pass phrases, an intelligent script could work out the sentence in a lot less guesses. Further more, if somebody manages to read the first few letters as they are typed on the keyboard, they may be able to guess the rest of the phrase. If I saw one of my friends type "Sta" I may hazard a guess at "Stargate is good/awesome" as a passphrase.

Also, there are some considerations to do with how much leeway we allow on the passphrase. With the passphrase "The Firefox jumped over the Opera", should the passphrase be accepted if Firefox is not capitalized? Should it be accepted if a word is missed out? With pass phrases, it may sometimes be hard to remember the exact word order and the location of all the punctuation.

Any thoughts? 

Via OneCommune.

  1. Website Passwords
  2. Choosing a strong and memorable password
  3. University Admissions Website
  4. Hearing your password
  5. Office 2007 Contextual Spelling Checker

5 Responses to “Replacing Passwords with Passphrases?”

  1. # Lewison 01 Nov 2006 at 10:12 pm

    A forum which I partake in has been discussing this, you can read it at: http://onecommune.net/community/index.php?showtopic=587

     I personally think it’s a bad idea on its own, and should be made easier.

  2. # Lewison 01 Nov 2006 at 10:13 pm

    Oh, didn’t see the ‘via’ bit :P

  3. # Foxedon 02 Nov 2006 at 3:10 am

    You could also guess that their password was "Stargate" if you saw them type "Sta", that argument is rather pointless, considering with a pass phrase you’d also have to figure out the following words.

    As for making is easier, you could just remove the punctuation and turn all capitals into lower case when comparing it. Not quite as secure, but one hell of a lot easier.

  4. # Lewison 02 Nov 2006 at 4:21 pm

    but passwords tend to contain a number on the end.

  5. # Scott At Realepicureanon 04 Nov 2006 at 7:33 pm

    Astronomy is one of those things with so much possibility, but seems to have gone strangely "out of fashion" lately.

     If only I was intelligent enough…

Trackback URI | Comments RSS

Leave a Reply