As discussed in the previous post below, we determined that the average user of technology is required to memorize many different login credentials and a helpful tool is a password manager. In this post I will discuss the somewhat controversial topic, at least in cybersecurity circles, of passphrases.
Passphrases are controversial as they do not meet compliance or security requirements for most organizations. Any user should check with their organization’s compliance requirements before they decide to use passphrases for business accounts. Nonetheless, a passphrase can be used for a majority of your personal accounts.
Before we get to the fun stuff, you will need to understand a concept of entropy, which is central to how authenticator strength is calculated. C.E. Shannon was the first to use entropy as it relates to information theory in 1948 in his paper “A Mathematical Theory of Communication”. He defined entropy as “uncertainty”. Then in 1951 he further defined entropy as “a statistical parameter which measures in a certain sense, how much information is produced on the average for each letter of a text in the language.” If the language is translated into binary digits (0 or 1) in the most efficient way, the entropy (H) is the average number of binary digits required per letter of the original language.” An example of a word translated into binary is MJLM becomes 01001101 01001010 01001100 0100110.
The fun stuff
A passphrase is a grouping of words that may or may not form a sentence that controls access to systems. Passphrases should be a minimum of 15 characters (preferably 20), without spaces, easy to remember, hard to guess, not include words that are associated with you, and easy to type.
The XKCD site has an excellent comic that explains the concept of the passphrase. For our discussion we will use the following authenticators:
- 123456 (NordPass most common password of 2020)
- ?V~34H<v,-/h?By) (strong password generated using Secure Password Generator)
- correcthorsebatterystaple (XKCD example)
The three authenticators have the following weaknesses:
- Very simple and easy to guess/crack
- Very complex but very hard to remember. The password generator suggested to use “? VISA ~ 3 4 HULU < visa , – / hulu ? BESTBUY yelp )” as a way to remember it.
- Does not meet the security requirements that are generally accepted at this time.
Rumkin.com has a good entropy calculator that came up with the following calculations:
- 123456 – 9.7 bits of entropy
- ?V~34H<v,-/h?By) – 76.5 bits of entropy
- correcthorsebatterystaple – 93.6 bits of entropy
Using the password cracking calculator at Random-ize we see that the authenticators can be cracked by brute force in the following amount of time:
- 123456 – Less than 1 second
- ?V~34H<v,-/h?By) – 420,805,123,888,006 years, 6 months (420 billion millennia!)
- correcthorsebatterystaple – 2,681,446,034,554,246,700 years (2.6 quadrillion millennia!!)
As you can see, with the power of math, the passphrase is actually harder to crack (but easy to remember) than the ridiculously complex (and hard to remember) password. Hopefully with these simple examples you will see the power of the passphrase.
I will leave you with the words of Bruce Schneier (an American cryptographer, computer security professional, privacy specialist, and writer); “The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it’s easy to remember, it’s something nonrandom like ‘Susan.’ And if it’s random, like ‘r7U2*Qnp,’ then it’s not easy to remember.”
Chris Williamson serves as a IT Audit Senior Manager within McConnell & Jones’ Risk Advisory Services Team, where he helps organizations protect their data and their systems from cyber incidents. A CISA and Security+ certified professional, he started his IT security and auditing career at a CPA firm serving governmental agencies, next moving to a quasi-governmental agency and most recently at a Spanish construction/infrastructure conglomerate. He has expertise with both IT and OT installation, configuration, and protection. He can be reached at email@example.com