Passphrases: I Love Lucy But Not Bugs Bunny in 1957
Jul 05, 2018 10:48AM
By Kathleen Maris
By Phillip C. Cluley
Recent cybersecurity attacks and large-scale data breaches have permeated all facets of our lives, including politics. The fear of hacking has altered our perception of cybersecurity and, correspondingly, our use of passwords.
Passwords are a necessity for everyday life in the information age. We use some level of authentication for most aspects of electronic interaction. It is no longer a matter of if and when a password is used, but now the conversation surrounds how complex our passwords must be. A greater emphasis is on password authentication, password security, and understanding the perils of social engineering.
Password security has improved with new authentication methods and protocols. From the end user’s perspective, passwords are more complex and therefore more confusing. We must remember 20 different passwords based on 20 different criteria and password rules on 20 different websites. Each site maintains a different allowable character set, different levels of forced complexity, different minimum and maximum text lengths, and different expiration periods. Which website am I visiting? Eight to 16 characters with no spaces and a number? Less than 12 characters with upper case, lower, and a “special” character (and what makes them so special?). Second youngest child or my cat’s name? While we are gently reminded not to use simple naming conventions or syntax methods, most of us still find it simpler to use less secure passwords so we can get where we need to go.
Who amongst us has a “password” document or paper list of passwords so we can remember them all? We have a myriad of password apps available to remember for us. They too must be password protected. We must be careful to not fall back on mobile device dependency for authentication when password frustration sets in. Not all banking, shopping, and industry sites allow PIN number, facial recognition, or biometrics.
A better alternative to password authentication is the passphrase. Passphrase authentication has been available for quite some time. Most end users and customers do not use them. Many companies do not offer passphrase as a choice. Both of these situations must change.
A passphrase is longer than a password. It can be a sentence or a unique sequence of words (or word replacements). Word replacement is often how password methodology is constructed. An example is “P@55worD”. Passphrases include spaces while passwords usually do not. Passphrases can contain all the same character sets as passwords and can satisfy even the most complex password requirements.
Must information technology be so insistent on password complexity that the need to create a simple, understandable sentence that allows users to generate text strings they can remember and sustain for long periods of time is forgotten? A passphrase is meaningful to you (hence memorable), but in sheer length, it is difficult to guess (computationally and physically). Every additional letter lengthens password-cracking times exponentially.
Longer passwords take much longer to crack. Passphrases, with greater length, are even more difficult to decipher. This isn’t to say that length is the only solution. Permutations of common words are still often hacked via dictionary and brute-force attacks. Users should always avoid using public personal information and famous quotations from literature, cinema, and music.
Passphrases differ from passwords because they allow you to generate longer sentences with purposeful syntax (misspellings included) that you can remember. “I love Lucy but not Bugs Bunny in 1957” is very secure and memorable. “ILuvLucynoBugs57” is very secure but NOT so easy to remember. Currently, Windows, Linux, and Mac allow passphrase lengths between 127 to 512 characters.
Passphrases offer a better solution to increase authentication complexity and decrease confusion. We must encourage corporations and their IT professionals to allow the use of passphrases in standard security environments. At Greenville Technical College, we teach our Computer Technology students the value of passphrase authentication so when they enter the workforce, they can help their employers implement passphrase standards.
Implementing passphrase authentication standards must be an industry initiative. Businesses must fully embrace passphrase authentication and be accountable for migrating to passphrase standards. Using modern passphrase standards precipitates end user and customer transition. Select companies and countries have taken such an initiative. Forward-thinking organizations such as the U.S. Securities and Exchange Commission (SEC), the University of Chicago, and the Australian Department of Defense (ADD) and companies such as Symantec and Mize-Houser have embraced change and implemented passphrase authentication standards. Migration to passphrase standards is a progressive security policy, an excellent marketing strategy, and an exemplification of technology leadership.