Results 1 to 8 of 8

Thread: PassWORD or PassPHRASE?

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002

    PassWORD or PassPHRASE?

    In a conversation regarding Rainbow Tables on Bugtraq there was a link to a rather interesting article, (Blog), by Robert Hensing, a senior member of Microsoft's Incident Response Team, entitled:-

    Why you shouldn't be using passwords of any kind on your Windows networks . . .

    It's well worth a read along with some of the responses..... Food for thought.

    The article
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member
    Join Date
    Mar 2004
    I attended a recent Microsoft Security Seminar where they too STRONGLY pushed for the replacement of Passwords with Passphrase. And as the article that Tigershark linked to pointed out, there are a number of good reasons for this.

    In the end thou, I was unable to convince the management in my company to make the change over., thou I was able to get rid of all the "weak" passwrds that MBSA reported. I personally have switched over to passphrase for my own systems and do not find it is harder to remember OR making logging in more difficult.

    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Interesting but not that surprising IMHO. It is already known that the length of a password/phrase is more important that its complexity. This method allows very long passwords that can be easily remembered.

    The weakness would seem to be that it uses proper words? I am surprised to see that he didn't recommend using two languages for the phrase. That would certainly strengthen it considerably I would have thought.


  4. #4
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    I've been using passphrases since I don't know when..
    And allways recommend users to do so..
    Not only is it easier (humans think in sentences, not in signs) also for the above pointed out length of password..

    So what's next..
    pass limericks, pass poems..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    While he didn't "push" the point he did mention that the use of uppercase and special characters significantly improved the passPHRASE strength, (which is a tad obvious since it increases the character set significantly). He also mentioned that the addition of numbers didn't help password strength, (it's only 10 more characters after all), but IMO, anything helps.

    Funny he didn't mention the use of extended ASCII, (though it was mentioned in the follow-ups), since that adds a further 128 to the character set and AFAIK, there isn't a password cracker out there in the public domain that takes the extended ASCII set into consideration. That's the quickest and easiest way to extend brute force time though. Even Rainbow Tables for the entire 255 character set would take months to build and Terabytes of storage making it impractical for the average person to even consider.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    We have been using passphrases on our system for a while now. We use them for the more sensative acounts like the domain administrator acount and for service acounts where the password doesnt change and you only need to use it when you set up a new server. I find them much easier to remember than passwords, especially at three in the morning when you really need that f*/-*% password.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  7. #7
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    3rd Rock from Sun
    I recall a thread here, don't recall where
    about how to generate a passphrase.
    So I take a line from a song [One I like, obviously] and use that, and for the spaces, there I use symbols.

    Works for me; and I haven't 'lost' a password since..............

    One point re:- spaces:
    I did read that using the spacebar in your password/phrase is NOT a good idea, in case someone is watching .......... spacebar makes a distinctive sound ..............
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  8. #8
    Join Date
    Sep 2004
    My Hushmail account uses passphrases and this is the first time I have been introduced to them. I find it a lot easier to remember than the other 10 passwords that are floating around in my brain!
    There wasn\'t any paper used here, but millions of electrons were terribly inconvenienced

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts