By Steven Myers, Assistant Professor of Informatics
The IT Security Office (ITSO) and University Information Technology Services (UITS) are leading the charge in making user accounts more secure, and, in so doing, are allowing users the option using passphrases as opposed to passwords. The syntactic difference between the two is really only one of length: passphrases are longer. The semantic difference between the two is the ability to dramatically increase the strength of a password against an attacker. In this document, we will try and discuss some of the benefits of switching to a stronger password or passphrase.
In order to see the benefit of passphrases (i.e., longer passwords) consider a password that could only be one character long, and it had to be a 1or a 0. Would you want such a password protecting your bank account? A thief could easily guess your password, as he would know its only two possibilities: 1 and 0. If the thief only had one chance of guessing the password, he would be correct with a 50% probability, but if the thief had two attempts to guess the password, then he would necessarily determine your password, as he could try both 1 and 0. Clearly, you would ask for more security from your bank.
Obviously, in the real world, one is not limited to choosing passwords whose characters consist only of 1 or 0. This helps with security in some sense. Let us consider how many choices there are for each character in the typical system’s passwords. This depends on the system, but presumably you can enter all of the letters of the alphabet (26), any of the numerals (10), or any of the syntactic symbols easily entered via the keyboard (28). Therefore, 64 possible characters can be entered in each position of the password. Thus, if the password were artificially limited to a length of 1 character, then there would be 64 possible passwords for users to choose from. If a user chose one of these uniformly at random, then the probability of the thief guessing the correct password on his first try would be 1/64, on his second try it would be 1/63, etc… In the worst case the thief would recover the user’s password in 64 attempts, and on average 32 attempts. This is still an unreasonably small number of passwords. An attacking thief could try all 64 possibilities in a few minutes by inputting passwords by hand.
Now let us consider passwords that are longer than 1 character. A password that is 2 characters long has 64 possibilities for the first character and 64 possibilities for the second character, or 64^2 =4096 total possibilities. Similarly, a 3-character password would have 64^3=262144 total passwords and a 4-character password would have 64^4=16777216 total passwords. If a thief could average trying 2 passwords per minute by hand typing them on the keyboard, it would take approximately 16 years to try all possible 4-character passwords. However, an attacking computer could try passwords at a rate much faster than 2 per minute. If the system on which the passwords are stored does not deploy countermeasures to stop automated computer attacks, then in a matter of minutes a computer can attempt all 4-character passwords.
A system that has passwords that are 8 characters long and 64 character choices per position permits a total of 64^8=281474976710656 possible passwords that can be selected by a user, or 281 trillion possibilities. At these truly large magnitudes, it would take a substantial amount of time for even a computer to try all possible passwords. If a computer averaged 1 million password attempts per minute, it would still take an automated computer attack over a year to try all of these possibilities.
Given the large amount of time it would take a computer to try all possible 8 character passwords, you may question the ITSO's and UITS' desire to make passwords longer than 8 characters (i.e., to passphrases). Their caution, however, is well founded. The issue is that while there are 281 trillion possible passwords in an 8-character system, they are not all equally likely to be chosen by users. In systems where people select the passwords themselves, they are predisposed to choosing words, names, places, dates and other easily memorizable passwords. Unfortunately, the number of such passwords is substantially smaller than the total number of possible passwords. For instance, there are approximately 50,000 English words in the average persons vocabulary, and only somewhere between half a million and a million total English words. Adding common dates, names, etc… doesn’t change the order of magnitude of this number. The result is that if an attacker guesses the most commonly chosen passwords first, he can try a rather small number of passwords to retrieve a large number of peoples’ passwords.
A study by Klein[1] shows that a small password list of approximately 50,000 common passwords contains approximately 20% of average users’ passwords, when users are not forced to follow any rules in selecting their passwords. A computer can easily attempt 50,000 common passwords in a matter of seconds. This means that left to their own devices 20% of users select passwords that can be easily broken by software designed to attack users’ passwords. It is because of this fact that many system administrators enforce rules on password selection, such as requiring users to include digits, symbols and a mix of upper- and lower-case letters in their passwords. By forcing such requirements on password selection, administrators induce users to select less common passwords, thereby making it harder for attackers to make use of small lists of passwords. Unfortunately, these requirements simultaneously make it more difficult for people to recall their passwords, as they force people to choose passwords that they consider unnatural and hard to remember (in particular, they are no longer remembering one word, but 8 seemingly loosely related symbols.) The failure of users to remember their passwords has costs and inconveniences to both users and administrators: users have the inconvenience of having their passwords reset, while administrators have to staff help desks to allow passwords to be reset.
One way to maintain the ability of people to remember their passwords while simultaneously increasing the diversity of passwords they tend to select is to increase the length of passwords (i.e. allow for passphrases). Note that passphrases are nothing more than passwords of a much longer length, and where multiple words are allowed (many systems disallow spaces in passwords). By increasing the length of passwords to that of passphrases, people are able to choose a passphrase that consists of a number of words, thus forming sentences that are more likely to have context, and thus be able to be easily remembered, while simultaneously providing a large enough number of possibilities so that they cannot be contained on a list.
Of course, this extension of passwords to passphrases does not guarantee that users will select strong passphrases, it only gives them ability to choose such phrases in a manner that should make them easy to remember. Attackers will still try to come up with lists of common phrases, so when selecting a passphrase a user should attempt to avoid famous sayings or quotes such as "to be or not or not to be", "beware the ides of March", "four score and seven years ago", etc… as such phrases are likely to be put on a list by an attacker. However, a user who chooses a phrase that only she is likely to know is apt to end up with a very secure passphrase.
[1] Daniel V. Klein, "Foiling the Cracker": A Survey of, and Improvements to, Password Security, Proceedings of the 2nd USENIX Unix Security Workshop, pp. 5-14, August, 1990