Monday, 24 January 2005
Passphrases vs. Passwords - real life trial

I had to change one of my passwords today (good security practices and all that), and with the recent discussions around the 'net concerning using passphrases in place of passwords, I decided to go full tilt and start using passphrases on this account rather than passwords.

One of the great things about passphrases is that they can be quite long and secure, yet easy to type and remember. For example, I could use either of these as a secure passphrase that more than meets all the security requirements of a Windows standard password-complexity template:

Is this my nifty-difty passphrase?

   - or -

Wow yo thats a really cool Red Radio you have there!

Of course, I could also be more paranoid (and in real life I am) by using something like "Is this my nyftie-dyftie passphraze?" but even with the standard dictionary words, the combination of having to determine the number of words, case, punctuation, order and spacing is a pretty darn complicated task. For more information about effectiveness of passphrases and their complexity, read what Jesper Johanssen wrote on the topic.

I can included spaces and everything - they're part of the passphrase, and the fact that I am using dictionary words works in the case of a passphrase, where they don't really pass muster when using 8-character-minimum passwords.

Passphrases use multiple words or variations, can be out of place and odd, easy to remember and easy to type quickly. The only problem I have had since changing to my new passphrase is remembering that I changed my password at all - I keep typing the old one... It's like writing "2004" on checks, I guess... This, too, shall pass.

Anyhow, I can type my passphrase accurately every single time, very quickly and reliably, so I am happy with that. If I choose a phrase that means something to me at the time, it will be easy to work with until I have to change it again in several weeks. I think it's a good thing - all in all better from a user standpoint than convoluted and hard-to-type passwords.

More on passwords vs. passphrases can be found here. Also, Susan Bradley, who blogs about Small Business Server quite a bit, has some thoughts on the subject and some policy configuration information (via Adam Field).


Add/Read: Comments [0] 		IT Security | Tech
01/24/2005 21:52:42 (Pacific Standard Time, UTC-08:00)
#  Trackback
Tracked by:
"Passwords vs Passphrases" (Adam's Mindspace) [Trackback]
"Passwords vs Passphrases" (Adam's Mindspace) [Trackback]
"No passphrases on Windows Mobile? This sucks..." (greg hughes - dot - net) [Trackback]
"Passphrase success, Sigmund Freud and Stress" (greg hughes - dot - net) [Trackback]
"Passwords Revisited" (bblog) [Trackback]
"The Roots of Social Engineering - and why passphrases are such a good idea" (gr... [Trackback]
"Security Philosphy - Password, passphrases and software to help" (greg hughes -... [Trackback]
"Security Philosophy - Passwords, passphrases and software to help" (greg hughes... [Trackback]

© Copyright 2005 Greg Hughes  Send mail to the author(s)
 
Creative Commons License
This work is licensed under a Creative Commons License.
 
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.  RSS 2.0|Atom 1.0

This page was rendered at 11/25/2005 23:36:00 (Pacific Standard Time, UTC-08:00)

newtelligence dasBlog 1.8.5223.0