Passphrases vs. Passwords

For a long time, people have argued the need for longer and more complex passwords. The idea behind the argument is that short, simple passwords are far easier to crack than long, complex passwords. Some people even prefer randomly generated passwords, which can be even more difficult to crack because they typically aren't based on some alteration of a known word in a given language.

You might already know that Windows 2000 and later allow for a maximum password length of 127 characters. The allowed characters include punctuation, special characters, and even Unicode characters. The reason for the 127-character limit is that the password character array is a set of 256 bytes. Because Unicode characters require two bytes to represent one character, the maximum number of characters that can be stored in the array is 127, or half the size of the array itself.

The ability to use 127 characters allows far more complex passwords or passphrases than many of us use. I suppose the only real difference between a password and a passphrase is that a passphrase is a series of words with a space between them, and passphrases might tend to be longer than passwords.

Some of you might know of Robert Hensing, who works as a member of Microsoft's Security Incident Response Team. Hensing has a blog (syndicated at the first URL below, unsyndicated at the second URL below), and back in July, he wrote an interesting blog article (at the third URL below) that argues for the use of passphrases instead of passwords.

In his article, Hensing explains why he thinks longer passphrases are superior. Essentially, it's because they take longer to crack. One can precompute a huge set of possible password hashes, then use these to minimize the time necessary to crack a given password. So shorter, single-word passwords are less secure because people can crack them really fast with precomputed hashes and other password-cracking tools. But the hashes of longer passphrases that include a series of words or random character combinations are far more difficult to crack because they require far more time. One premise behind password security is that a password should probably have a life span that's shorter than the time necessary to crack it. That way, the password will have been changed to something else before someone can crack it.

Granted, an entity that really wants to know your password can use certain methods, such as distributed computing and super-fast computers, to crack it much faster than the average intruder could, no matter the length. But most intruders probably aren't capable of attaining such resources, so passphrases and short passphrase life spans could keep a large percentage of intruders completely at bay. Thus, they're worth considering.

To enforce the use of passphrases, you can establish policies that require a certain minimum number of characters. For example, if you require at least two dozen characters in a password, your computer users might be inclined to think of a phrase, which is of course easier to remember than a long string of characters. If you're interested in the concept, read Hensing's blog article and consider the comments from various readers.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.