A passphrase is a sequence of words or other text used to control access to a
computer
A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...
system, program or
data
In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...
. It is similar to a
password
A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
in usage, but a passphrase is generally longer for added security. Passphrases are often used to control both access to, and the operation of,
cryptographic
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
programs and systems, especially those that derive an
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
key from a passphrase. The origin of the term is by analogy with ''password''. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.
Security
Considering that the
entropy
Entropy is a scientific concept, as well as a measurable physical property, that is most commonly associated with a state of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynam ...
of written English is less than 1.1 bits per character,
passphrases can be relatively weak.
NIST
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
has estimated that the 23-character passphrase "IamtheCapitanofthePina4" contains a 45-bit strength. The equation employed here is:
: 4 bits (1st character) + 14 bits (characters 2–8) + 18 bits (characters 9–20) + 3 bits (characters 21–23) + 6 bits (bonus for upper case, lower case, and alphanumeric) = 45 bits
(This calculation does not take into account that this is a well-known quote from the operetta
H.M.S. Pinafore
''H.M.S. Pinafore; or, The Lass That Loved a Sailor'' is a comic opera in two acts, with music by Arthur Sullivan and a libretto by W. S. Gilbert. It opened at the Opera Comique in London, on 25 May 1878 and ran for 571 performances, which ...
. An MD5 hash of this passphrase can be cracked in 4 seconds using crackstation.net, indicating that the phrase is found in password cracking databases.)
Using this guideline, to achieve the 80-bit strength recommended for high security (non-military) by NIST, a passphrase would need to be 58 characters long, assuming a composition that includes uppercase and alphanumeric.
There is room for debate regarding the applicability of this equation, depending on the number of bits of entropy assigned. For example, the characters in five-letter words each contain 2.3 bits of entropy, which would mean only a 35-character passphrase is necessary to achieve 80 bit strength.
If the words or components of a passphrase may be found in a language dictionary—especially one available as electronic input to a software program—the passphrase is rendered more vulnerable to
dictionary attack
In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or ...
. This is a particular issue if the entire phrase can be found in a book of quotations or phrase compilations. However, the required effort (in time and cost) can be made impracticably high if there are enough words in the passphrase and if they are
random
In common usage, randomness is the apparent or actual lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no :wikt:order, order and does not follow an intelligible pattern or combination. Ind ...
ly chosen and ordered in the passphrase. The number of combinations which would have to be tested under sufficient conditions make a dictionary attack so difficult as to be infeasible. These are difficult conditions to meet, and selecting at least one word that cannot be found in ''any'' dictionary significantly increases passphrase strength.
If passphrases are chosen by humans, they are usually biased by the frequency of particular words in natural language. In the case of four word phrases, actual entropy rarely exceeds 30 bits. On the other hand, user-selected pass''words'' tend to be much weaker than that, and encouraging users to use even 2-word passphrases may be able to raise entropy from below 10 bits to over 20 bits.
For example, the widely used cryptography standard
OpenPGP
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitio ...
requires that a user make up a passphrase that must be entered whenever decrypting or signing messages. Internet services like
Hushmail
Hushmail is an encrypted
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only ...
provide free encrypted e-mail or file sharing services, but the security present depends almost entirely on the quality of the chosen passphrase.
Compared to passwords
Passphrases differ from passwords. A
password
A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
is usually short—six to ten characters. Such passwords may be adequate for various applications (if frequently changed, if chosen using an appropriate policy, if not found in dictionaries, if sufficiently random, and/or if the system prevents online guessing, etc.) such as:
* Logging onto computer systems
* Negotiating keys in an interactive setting (e.g. using
password-authenticated key agreement In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.
An important property is that an eavesdropper or m ...
)
* Enabling a smart-card or PIN for an
ATM card
An ATM card is a payment card or dedicated payment card issued by a financial institution (i.e. a bank) which enables a customer to access their financial accounts via its and others' automated teller machines (ATMs) and to make approved point of ...
(e.g. where the password data (hopefully) cannot be extracted)
But passwords are typically not safe to use as keys for standalone security systems (e.g., encryption systems) that expose data to enable offline password guessing by an attacker. Passphrases are theoretically stronger, and so should make a better choice in these cases. First, they usually are (and always should be) much longer—20 to 30 characters or more is typical—making some kinds of brute force attacks entirely impractical. Second, if well chosen, they will not be found in any phrase or quote dictionary, so such dictionary attacks will be almost impossible. Third, they can be structured to be more easily memorable than passwords without being written down, reducing the risk of hardcopy theft. However, if a passphrase is not protected appropriately by the authenticator and the clear-text passphrase is revealed its use is no better than other passwords. For this reason it is recommended that passphrases not be reused across different or unique sites and services.
In 2012, two Cambridge University researchers analyzed passphrases from the
Amazon PayPhrase system and found that a significant percentage are easy to guess due to common cultural references such as movie names and sports teams, losing much of the potential of using long passwords.
When used in cryptography, commonly the passphrase protects a long (machine generated)
key
Key or The Key may refer to:
Common meanings
* Key (cryptography), a piece of information that controls the operation of a cryptography algorithm
* Key (lock), device used to control access to places or facilities restricted by a lock
* Key (map ...
, and the key protects the data. The key is so long a brute force attack (directly on the data) is impossible. A
key derivation function
In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a crypto ...
is used, involving many thousands of iterations (
salted & hashed), to slow down
password cracking
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach (brute-force attack) is to repeatedly try ...
attacks.
Passphrases selection
Typical advice about choosing a passphrase includes suggestions that it should be:
* Long enough to be hard to guess
* Not a famous quotation from literature, holy books, et cetera
* Hard to guess by intuition—even by someone who knows the user well
* Easy to remember and type accurately
* For better security, any easily memorable encoding at the user's own level can be applied.
* Not reused between sites, applications and other different sources
Example methods
One method to create a strong passphrase is to use
dice
Dice (singular die or dice) are small, throwable objects with marked sides that can rest in multiple positions. They are used for generating random values, commonly as part of tabletop games, including dice games, board games, role-playing g ...
to select words at random from a long list, a technique often referred to as
diceware
Diceware is a method for creating passphrases, passwords, and other cryptographic variables using ordinary dice as a hardware random number generator. For each word in the passphrase, five rolls of a six-sided die are required. The numbers from ...
. While such a collection of words might appear to violate the "not from any dictionary" rule, the security is based entirely on the large number of possible ways to choose from the list of words and not from any secrecy about the words themselves. For example, if there are 7776 words in the list and six words are chosen randomly, then there are ''7,776
6 = 221,073,919,720,733,357,899,776'' combinations, providing about 78 bits of
entropy
Entropy is a scientific concept, as well as a measurable physical property, that is most commonly associated with a state of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynam ...
. (The number ''7776'' was chosen to allow words to be selected by throwing five dice. ''7776 = 6
5'') Random word sequences may then be memorized using techniques such as the
memory palace
The method of loci is a strategy for memory enhancement, which uses visualizations of familiar spatial environments in order to enhance the recall of information. The method of loci is also known as the memory journey, memory palace, journey m ...
.
Another is to choose two phrases, turn one into an
acronym
An acronym is a word or name formed from the initial components of a longer name or phrase. Acronyms are usually formed from the initial letters of words, as in ''NATO'' (''North Atlantic Treaty Organization''), but sometimes use syllables, as ...
, and include it in the second, making the final passphrase. For instance, using two English language typing exercises, we have the following. ''The quick brown fox jumps over the lazy dog'', becomes ''tqbfjotld''. Including it in, ''Now is the time for all good men to come to the aid of their country'', might produce, ''Now is the time for all good tqbfjotld to come to the aid of their country'' as the passphrase.
There are several points to note here, all relating to why this example passphrase is not a good one.
* It has appeared in public and so should be avoided by everyone.
* It is long (which is a considerable virtue in theory) and requires a good typist as typing errors are much more likely for extended phrases.
* Individuals and organizations serious about cracking computer security have compiled lists of passwords derived in this manner from the most common quotations, song lyrics, and so on.
The PGP Passphrase FAQ
suggests a procedure that attempts a better balance between theoretical security and practicality than this example. All procedures for picking a passphrase involve a tradeoff between security and ease of use; security should be at least "adequate" while not "too seriously" annoying users. Both criteria should be evaluated to match particular situations.
Another supplementary approach to frustrating brute-force attacks is to derive the key from the passphrase using a
deliberately slow hash function, such as
PBKDF2
In cryptography, PBKDF1 and PBKDF2 (Password-Based Key Derivation Function 1 and 2) are key derivation functions with a sliding computational cost, used to reduce vulnerabilities of brute-force attacks.
PBKDF2 is part of RSA Laboratories' Publ ...
as described in RFC 2898.
{{main, Key stretching
Windows support
If backward compatibility with
Microsoft LAN Manager
LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavi ...
is not needed, in versions of
Windows NT
Windows NT is a proprietary graphical operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems sc ...
(including
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
,
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...
and later), a passphrase can be used as a substitute for a Windows password. If the passphrase is longer than 14 characters, this will also avoid the generation of a ''very'' weak
LM hash
LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heav ...
.
Unix support
In recent versions of
Unix-like
A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...
operating systems such as
Linux
Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
,
OpenBSD
OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...
,
NetBSD
NetBSD is a free and open-source Unix operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was forked. It continues to be actively developed and is a ...
,
Solaris
Solaris may refer to:
Arts and entertainment Literature, television and film
* ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem
** ''Solaris'' (1968 film), directed by Boris Nirenburg
** ''Solaris'' (1972 film), directed by ...
and
FreeBSD
FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...
, up to 255-character passphrases can be used.
See also
*
Keyfile {{Unreferenced, date=December 2009
A keyfile (or ''key-file'') is a file on a computer which contains encryption or license keys.
A common use is web server software running secure socket layer (SSL) protocols. Server-specific keys issued by tru ...
*
Password-based cryptography
Password-based cryptography generally refers to two distinct classes of methods:
*Single-party methods
*Multi-party methods
Single party methods
Some systems attempt to derive a cryptographic key directly from a password. However, such practice ...
*
Password psychology Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.
In order for a password to work successfully and provide security to its user, it m ...
References
External links
Diceware pagexkcd Password Strengthcommon-viewed explanation of concept
Cryptography
Password authentication