« The automated message you hear while waiting to be placed on hold | Main | Blogs: Architecture versus content »
December 20, 2004
Passphrases, not passwords: The key to account security?
Larry J. Seltzer, in a relatively plain-English column in PC Magazine, reports that the traditional wisdom on computer passwords is changing.
The widespread (and widely ignored) advice has been to create passwords that incorporate upper-case and lower-case letters, numbers, symbols, and punctuation -- like the Pa55.W0rd in the title of Selzer's article -- and to change them frequently. Now, however, a discussion initiated by Microsoft security expert Robert Hensing suggests that short passwords, no matter how complex, are easier to crack than long passphrases, no matter how ordinary the words they contain.
"Short and complex," in Selzer's example, is "Ih8m0d3rnART!", a distortion of a "phrase you can remember" -- "I hate modern art!" According to Hensing's reasoning, it's preferable just to use the phrase itself, spaces and all. It was news to me, but "Windows has supported passphrases of up to 127 characters since Windows 2000."
Selzer thinks this is such a good idea that he has just changed his Amazon.com password to "a 129-character passphrase with punctuation and mixed cases." It's a good thing he buys his books at Amazon instead of Barnes and Noble, which has a twelve-character limit on passwords and bans the use of spaces.
Not every security expert in the blogosphere buys Hensing's reasoning (Selzer goes over it lightly in his piece, but not even he claims to understand it fully). In particular, "if brute-force password crackers work by trying combinations of characters, a passphrase cracker would work by trying combinations of words" and, by implication, would eventually succeed.
That notion conflicts with ideas recently explored by Daniel Akst in his New York Times essay on computer-generated fiction. (It's no longer available for free on the Times site, but you may be able to access it through your pubic library.) I blogged Akst's article, as did many others.
In it, Akst refers to cognitive psychologist Steven Pinker's estimate that "the number of possible sentences of 20 words or less that the average person can understand is perhaps a hundred million trillion, or many times the number of seconds since the universe was born." If that's the case, even brute-force passphrase crackers have their work cut out for them.
Which leads to some delightful possibilities:
Your online banking passphrase: "Neither a borrower nor a lender be." (37 characters, with spaces and punctuation.)
Your online library passphrase: You can't tell a book by its cover. (35 characters)
Your New York Times website passphrase: "It's up to you, New York, New York." (36 characters)
Your Washington Post website passphrase: 1600 Pennsylvania Avenue (24 characters)
Your HMO website passphrase: An apple a day keeps the doctor away. (37 characters)
Your e-mail account passphrase: "I'm gonna sit right down and write myself a letter." (53 characters)
Your Social Security account passphrase: "Will you still need me, will you still feed me, when I'm sixty-four?" (70 characters)
Your work intranet passphrase (that is, until you're required to change it): "I'll amputate his reveille and step upon it heavily and
spend the rest of my days in bed." (91 characters)
Now, assuming you can remember how you punctuated things, whether you spelled numbers out or used numerals, which quotes you enclosed in quotation marks, and how to spell all the words without typos, creating passphrases may become a fun pastime. Your accounts may even become more secure.
That is, unless Seltzer is right and passphrases don't exactly capture the public imagination. "Will the only people willing to use passphrases be the ones who were willing to use complex passwords?" he asks. My guess is that, for now, this bandwagon will be populated only by geeks and word freaks. But that's a start.
December 20, 2004 | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83455988369e200e55037945f8834
Listed below are links to weblogs that reference Passphrases, not passwords: The key to account security?:
» Passphrases, not passwords: The key to account security? from Business Intelligence Blog
Larry J. Seltzer, in a relatively plain-English column in PC Magazine, reports that the traditional wisdom on computer passwords is changing.
The widespread (and widely ignored) advice has been to create passwords that incorporate upper-case and l... [Read More]
Tracked on Dec 21, 2004 4:04:10 PM
