Let’s face it, trying to remember a random set of letters, numbers and characters is impossible. Instead, people tend to make insecure passwords because they’re usable (i.e. easy to remember). That is all fine and dandy until you have a security breach of some sort, then you’re in for a world of hardship.
So what better option is there? Passphrases!
Passphrase… say what?
Most people aren't familiar with the term passphrase. Essentially, a passphrase is just a sequence of 4 or more easy to remember words. Think returnsuddenmarkarmy.
The idea blends the notion of being usable while also being very secure (more on this later). We’ve been trained throughout life to string together words and therefor it’s easy for us to read and recognize these patterns. When you start to string together random letters, numbers and characters, the pattern these characters create is so abstract that our brains aren’t geared to easily understand them, let alone remember them.
Computers, on the other hand, see passphrases as a string of characters. It makes no difference to cracking software if a passphrase is made up of words or characters. Passphrase (and password) cracking software uses a trial-and-error approach of methodically attempting possible combinations of word and character patterns until the correct sequence is found.
How strong a passphrase is varies, but what we look for is password entropy — a mathematical measurement of how unpredictable a passphrase is. This is based on the number of possible characters (letters, numbers and special characters) with a value assigned to each character representing how common that character is. For example, the number 1 would be much more common than the special character ~ . Passphrase entropy predicts how difficult a given passphrase would be to crack through brute force attacks, dictionary attacks, and other common cracking methods.
It just so happens that the best passwords aren’t complex, but long.
Password security case study
Let’s put this notion of a passphrase to the test and see how it holds up. We’ll test a variety of passwords and a passphrase, based on a 81 character set (uppercase, lowercase, numbers and special characters), and determine roughly how long it would take to crack them. The approximate time taken for the password to be cracked is based on an offline computer able to compute 10,000 guesses per second.
*Disclaimer: Our test results will vary from other calculators for a variety of reasons. Mainly the size of the character set used and what the priority is given to specific characters and words. It’s actually very difficult to determine a consistent score without knowing all of the parameters and so results can be very inconsistent. The basic principle here still applies though, it’s how websites choose to protect their passwords that changes.
Type: standard debit pin
Time taken to crack: 1 second
Type: 6 weird characters
Time taken to crack: 2 minutes
Type: 8 weird characters
Time taken to crack: 3 hours
Type: 10 weird characters
Time taken to crack: 12 days
Type: 4 simple words
Time taken to crack: 3 years
Type: 4 simple words with a number tossed in
Time taken to crack: Centuries!
That’s some serious password security! Make the switch to easier to remember passphrases. It’s just an all around good thing.