I've heard Jesper talk about this many times and have used passphrases for a long time myself. The term "password" is in itself misleading as is suggests that a single word will suffice. Many of our companys force us to use absurdly complex passwords which are difficult to remember and hence there's a tendency to write them down and use the same ones everywhere. Believe it or not the Microsoft Windows login dialog will actually take more than eight characters in the password field!
By reading any of the links listed below you'll learn that entering multiple words in the "password" field generally leads to better (stronger) passwords. For the mathematicians amongst you it's worth reading the comments to both Jesper and Robert's posts - I agree that long highly complex passwords (with greater entrophy) would be ideal IF users could remember them but in the real world find passphrases to be the best way.
I tend to think of a funny phrase and use that whilst omitting the spaces between words. A good example would be "Ihatebeingforcedtochangemypassword" though you may have to add some numeric characters to meet the requirements of password complexity. Don't feel the need to go mad though, anything better than you're using today would be progress - so just using three words would be a good start.
The Microsoft website includes a straight forward definition and suggestion for how to use stronger passwords - click here to read about it.
Larry Osterman posted an interesting entry about passphrases whereby he linked to Jesper Johansson's article (which explains both the theory and practical application) and Robert Hensing's entry which gives good advice too.
There are some interesting suggestions out there including the idea of using dice to pick the sequence of words - click here to read about Diceware.
Comments
- Anonymous
January 01, 2003
Answer: A laptop keyboard.
I've been unable to do a lot of work for the past hour or so after spilling... - Anonymous
July 28, 2005
While I understand Jesper's point, it seems a little simplistic solution to me, and doesn't take into account the unintended consequences or the "real world" applications. Yes, a thirty character passphrase is more secure than an 6-character "complex" password. But out there are other security measures that conflict with it: specifically, password-protected screensavers. We have policies that enforce the screensaver coming up every 15 minutes, which seems to still be an industry standard for places that have lots of open, public machines. Just as users tend to write down the longer "complex" passwords of random letters, numbers and special characters on a sticky note, they will try to get around having to type in a 30+ character string every 15 minutes. When we tried to enforce 30+ char passphrases, we found that someone had written a program to "jiggle the mouse" every 10 minutes so the screensaver never kicked in, because they were so annoyed at all the typing they had to do every time they stopped using their computer for 15 minutes. This little program got passed around, and soon a ton of people were using it. Yes, tighter controls over the desktop might have prevented this app, but that's not the point of discussion here: it's that there are unintended consequences of the security measures that Jesper espouses, and those don't seem to ever be brought up in his discussions. In particular, the fact that users dislike having to type those long passphrases in over and over again, even when they are simple sentences. Just because I can remember "Mypasswordisthebestpasswordintheworld" easier than "F(5%pr@m1", doesn't mean I prefer typing the former all day long. - Dave Pacheco Manager, Architecure and Security The Walt Disney Company - Anonymous
July 29, 2005
Dave> Thanks for your very interesting comment. I can see that such a screen saver policy together with a passphrase would be frustrating. Statistically having a ten character passphrase would be a reasonable compromise from a cryptoanalysis perspective. I realise there's a cost implication but smartcard authentication would be less painful with such a screensaver policy. How about increasing the screen saver interval and having forefits for those who get caught by their team with an unlocked screen. I'm sure someone engaged on a long telephone call would be very frustrated if the screen saver cut in whilst they were talking.
What do you think?