Let’s settle the password vs. passphrase debate once and for all

Should you use a password or passphrase? The question has sparked intense discussion among techies for years. Here’s our recommendation.

Several years ago, the science comic blogger Randall Munroe, otherwise known as XKCD, posted a comic comparing passwords and passphrases. The illustration attempts to demonstrate mathematically, using information theory, that passwords tend to be weaker than passphrases while also being more difficult to remember. Because of this, people use simpler passwords, write them down, or reuse them, thus weakening password security further.

Munroe concludes, “Through 20 years of effort, we’ve successfully
trained everyone to use passwords that are hard for humans to remember, but
easy for computers to guess.”

Many people think a password is meant to protect them from
someone targeting them specifically. That’s usually not how people get hacked
though.

When you create an online account, the company stores your
password in encrypted form on its servers. If hackers get their hands on that
password database, then it’s only a matter of running password-guessing
programs against the list to see if they match. There are computers that can
guess hundreds of billions of passwords per second, though companies typically
use encryption methods that slow down the process of guessing.

What is a passphrase?

While everybody knows what is a password, fewer people know about passphrases. A passphrase is a kind of password that uses a series of words, separated by spaces or not (it doesn’t really matter). “correcthorsebatterystaple” is the passphrase in the comic. Although passphrases often contain more characters than passwords do, passphrases contain fewer “components” (four words instead of, say, 12 random characters). This makes passphrases easier to remember, typically by using a mnemonic device.

A passphrase is more secure… sometimes

After the XKCD comic came out, there was a wave of discussion online about whether the advice was correct. Much of the debate centered around the amount of entropy each of his examples contained. Entropy is a concept in information theory which basically refers to the amount of randomness contained in a password. Generally, the more randomness is contained in a password, the harder it is to crack the password. This is why longer passwords are favored, because they presumably contain more “randomness.”

XKCD assumes the attacker knows the user has generated a
passphrase by choosing four of the most common (top 2,048 in this example)
dictionary words at random. Even so, the passphrase contains more entropy than
the password. There are only 94 possible options for each password character,
meaning less uncertainty. So, mathematically speaking, a passphrase could be
more secure.

But not always. By lengthening the password or adding words to the passphrase, you can increase the entropy. For example, a 20-character password consisting of random lower-case letters is much stronger than a four-word passphrase composed of common words. Such a password cannot be dictionary attacked, so it must be brute forced, which would take modern computers billions of years to do.

AviD’s Rule of Usability

But XKCD’s argument is not primarily about mathematics. It’s
about how to create the most secure systems possible in light of human
imperfections.

For decades, the advice from information security experts was
to change your passwords frequently and use numbers, capitals, and special
characters. But we humans are bad at creating randomness, and we’re bad at
remembering things. So inevitably people used simple words, names, birthdates,
and sayings, swapping out letters with similar-looking special characters.
Hackers can crack these kinds of passwords in a matter of seconds.

In an effort to make secure systems, the prevailing password
advice actually made the systems less secure. Or, as the user AviD now-famously
put it on Stack Exchange, responding to the XKCD
comic: “Security at the expense of
usability comes at the expense of security.”
In other words, if your
“secure system” isn’t easy to use, people won’t use it, negating the security
benefit. (This is actually the founding principle of ProtonMail.)

Our recommendation on the password vs. passphrase debate

Both passwords and passphrases can be secure, and if you are
using a password manager, the security and usability differences between
passwords and passphrases will not be significant. However, if you are setting
a password that you must remember by heart, for usability reasons, we recommend
using passphrases.

When you use passphrases, also keep the following in mind:

  • Four words should be sufficient. Five words is better.
  • Don’t choose from the most common words, and don’t
    choose quotes or sayings. The words should be as random as possible.
  • Use a unique passphrase for every account you own. That
    way, if one passphrase is ever exposed, the other accounts remain secure.

This article is part of our series on password security. You can also check out our previous article about how long a password should be.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

The post Let’s settle the password vs. passphrase debate once and for all appeared first on ProtonMail Blog.



*** This is a Security Bloggers Network syndicated blog from ProtonMail Blog authored by Ben Wolford. Read the original post at: https://protonmail.com/blog/protonmail-com-blog-password-vs-passphrase/