• Home
  • Report an Incident
  • Read Bulletins
  • Discuss Viruses
• Articles & Guides
  • For Everyone
  • For Sysadmins
  • For IT Managers
  • Recent Articles
• Resources
  • External Advisories
  • Vendor Information
  • Further Reading
• Tools
  • Network Scanner
  • Web Scanner
  • Certificate Authority
• Training
  • LSP Services
  • Unix Systems Support Group
  • Windows: End-User Security
  • Awareness and Education
  • SANS Partnership Series
• About
  • Contact Information
  • ITSO Staff
  • Mission Statement
  • Recent Changes
  • Site Index
  • Colophon
• Search

In Support of Passphrases

Here is a collection of quotes and facts supporting the use of passphrases as a way to increase security.

I want to thank ITSO for their tireless efforts to help secure the IU network. Their most recent project, to increase the minimum and maximum password length, is a much needed step toward that goal. Our institutional data is only as secure as our weakest password, and by moving to a paradigm of lengthy "passphrases" we not only make our data more secure but we also make our passwords easier to remember. We have already begun implementing passphrases within HELPnet, and I can testify that it's much easier to remember a 25 character passphrase than a 10 character, complicated password. The mathematics proves that the length of a password is more important than the complexity. I welcome the change, and the challenge, of making this shift. I know it will be a hard sell to some, but in the long run this move by ITSO will be appreciated.

-- Todd Herring, HELPnet Network Systems Manager, SPEA / KSB / SLIS at IUPUI

Strengthening our passwords and changing the strategy to passphrases sound like an excellent plan. All we can do to enhance security for our users, their data, as well as the institution's is worth pursuing.

-- Mercedes Randall, MBA, Director, Systems and Administration, Research & Sponsored Programs at IUPUI

Short, but complex passwords should be shunned as they are not truly secure anymore and you are deceiving yourself if you think they are. Long pass-phrases are the future and are the only way to go if you want to ensure that you won't get hacked via any type of password based attack of any kind.

-- Rob Hensing, Microsoft (read the whole blog post)

Weak passwords are the primary way in which we defeat Windows Server 2003 networks in professional penetration testing engagements.

-- Hacking Exposed: Windows Server 2003, page 9

Pass phrases are coming into vogue for a number of reasons, one being the development of tools that can crack many passwords in minutes. These tools are not new. Quakenbush Password Appraiser could do this in 1998. What is new is the theory and practice behind the space-time tradeoff, advanced by Dr. Phillippe Oechslin. The time-space tradeoff means that you do not store all possible hashes, which would require more storage than exists in the universe (if you try to store NT hashes). Storing all the NT hashes up to 14 characters for the 76-character character set would require 5,652,897,009 exabytes of storage, which exceeds the capacity of any file system today. Storing all the LM hashes, which only requires 310 terabytes, is still infeasible. To solve this dilemma, Dr. Oechslin came up with a time-space tradeoff where you only store a portion of the hash and its associated passwords. This drastically cuts storage requirements, and with only 17 gigabytes of storage, you can store the LM hashes for the same character set. As we shall see, one of the primary arguments for pass phrases is that they make the storage requirements prohibitive and break the pre-computed hash attacks.

-- Jesper Johansson, Microsoft