PassWORD or PassPHRASE?
In a conversation regarding Rainbow Tables on Bugtraq there was a link to a rather interesting article, (Blog), by Robert Hensing, a senior member of Microsoft's Incident Response Team, entitled:-
Why you shouldn't be using passwords of any kind on your Windows networks . . .
It's well worth a read along with some of the responses..... Food for thought.
I attended a recent Microsoft Security Seminar where they too STRONGLY pushed for the replacement of Passwords with Passphrase. And as the article that Tigershark linked to pointed out, there are a number of good reasons for this.
In the end thou, I was unable to convince the management in my company to make the change over., thou I was able to get rid of all the "weak" passwrds that MBSA reported. I personally have switched over to passphrase for my own systems and do not find it is harder to remember OR making logging in more difficult.
Interesting but not that surprising IMHO. It is already known that the length of a password/phrase is more important that its complexity. This method allows very long passwords that can be easily remembered.
The weakness would seem to be that it uses proper words? I am surprised to see that he didn't recommend using two languages for the phrase. That would certainly strengthen it considerably I would have thought.
I've been using passphrases since I don't know when..
And allways recommend users to do so..
Not only is it easier (humans think in sentences, not in signs) also for the above pointed out length of password..
So what's next..
pass limericks, pass poems..
While he didn't "push" the point he did mention that the use of uppercase and special characters significantly improved the passPHRASE strength, (which is a tad obvious since it increases the character set significantly). He also mentioned that the addition of numbers didn't help password strength, (it's only 10 more characters after all), but IMO, anything helps.
Funny he didn't mention the use of extended ASCII, (though it was mentioned in the follow-ups), since that adds a further 128 to the character set and AFAIK, there isn't a password cracker out there in the public domain that takes the extended ASCII set into consideration. That's the quickest and easiest way to extend brute force time though. Even Rainbow Tables for the entire 255 character set would take months to build and Terabytes of storage making it impractical for the average person to even consider.
We have been using passphrases on our system for a while now. We use them for the more sensative acounts like the domain administrator acount and for service acounts where the password doesnt change and you only need to use it when you set up a new server. I find them much easier to remember than passwords, especially at three in the morning when you really need that f*/-*% password.
I recall a thread here, don't recall where :confused:
about how to generate a passphrase.
So I take a line from a song [One I like, obviously] and use that, and for the spaces, there I use symbols.
Works for me; and I haven't 'lost' a password since..............
One point re:- spaces:
I did read that using the spacebar in your password/phrase is NOT a good idea, in case someone is watching .......... spacebar makes a distinctive sound ..............
My Hushmail account uses passphrases and this is the first time I have been introduced to them. I find it a lot easier to remember than the other 10 passwords that are floating around in my brain!