Monday, November 15, 2004
What's a "passphrase", and is it better than a password?
A couple of Microsoft's security people, in their personal blogs, suggest that people should start using more than one word when we choose a password. For example, you might log in with "squeamish vultures swing dishwashers" instead of "f$i^(A;Q".
Why? It's easier to remember a nonsense sentence, easier to type one, and it may be harder for the bad guys to guess with their password-guessing programs.
Most modern operating systems let you use 127 characters or more in a password and some of them can be spaces. You can log in to your Windows machine with an entire sentence where it asks for a password. Some web sites, though, may not let you type in something that long.
You still need to be careful because longer is not always better. For example, you can see that "Once upon a time" is actually easier to guess than "Once upon a". So don't pick a common phrase like "to be or not to be". Use something you just made up and pick the words as randomly as you can. Depending on how much time you have and how much security you need you can
Then, after you've gone to all that trouble, maybe you can't use the result because the computers at work demand that you include numbers and special characters. Grumble briefly to yourself and then do something like putting an exclamation point at the end or replacing the letter "a" with "@". For example, if you aren't allowed to use "quarterbacks fry fuchsia philosophies" because it's "too simple", you could change it to "2 Quarterbacks fry fuchsi@ philosophies!" and get it accepted.
|
Why? It's easier to remember a nonsense sentence, easier to type one, and it may be harder for the bad guys to guess with their password-guessing programs.
Most modern operating systems let you use 127 characters or more in a password and some of them can be spaces. You can log in to your Windows machine with an entire sentence where it asks for a password. Some web sites, though, may not let you type in something that long.
You still need to be careful because longer is not always better. For example, you can see that "Once upon a time" is actually easier to guess than "Once upon a". So don't pick a common phrase like "to be or not to be". Use something you just made up and pick the words as randomly as you can. Depending on how much time you have and how much security you need you can
- Pick each word from a different field of study from the word before, as in "dissect lustful carburetors"
- Better, open a dictionary without looking and point somewhere on the page
- Best, visit the Diceware web site and follow their instruction for creating passphrases by rolling dice.
Then, after you've gone to all that trouble, maybe you can't use the result because the computers at work demand that you include numbers and special characters. Grumble briefly to yourself and then do something like putting an exclamation point at the end or replacing the letter "a" with "@". For example, if you aren't allowed to use "quarterbacks fry fuchsia philosophies" because it's "too simple", you could change it to "2 Quarterbacks fry fuchsi@ philosophies!" and get it accepted.
# posted by Frederick @ 1:39 PM Email to a friend:
Haloscan: they provide trackback