Science Fair Project Encyclopedia
A passphrase is a collection of 'words' used for access control, typically used to gain access to a computer system. Passphrases are also used to control both access to, and operation of, special security programs such as cryptographic systems. The origin of the term is by analogy with "password". The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.
The words need not all be, but often are, found in a language dictionary -- most particularly one available (on or off line) as input to a dictionary attack program. If findable in such a dictionary (and especially if the entire phrase can be found in a quotation or phrase compilation), an attacker has some chance of discovering the pass phrase by an automated dictionary attack. However, the required effort (time, cost, ...) can be made impracticably high if there are enough words in the passphrase. How many depends on the vocabulary from which they are chosen (eg, English has the largest number of words of any language, though most are rarely used) and if those words are selected randomly. The number of combinations which would have to be tested under such conditions make a dictionary attack so difficult as to be infeasible. These are difficult conditions to meet, and selecting at least one 'word' for a pass phrase which cannot be in any dictionary is still more effective.
For example, the widely used crypto system (PGP) requires each user to make up a passphrase that you must enter whenever you sign or decrypt messages. So does the newer Internet standard (OpenPGP) compliant version, GPG. An Internet service called Hushmail provides free encrypted e-mail service, but its security depends almost entirely on the quality of the passphrase you choose. You should have your passphrase ready before creating your PGP or GPG key or opening a new Hushmail accountas 'inventing' a passphrase whilst entering it is a poor practice, very likely to lead to poor passphrases, and so to poor security.
Differences from passwords
Passphrases differ from passwords. A password is usually short — six to ten characters. Such passwords may be adequate for logging onto computer systems (if frequently changed, and if permitted passwords are not found in dictionaries, and if they are sufficiently long that brute force search attacks are impractical, and if ...), but they are certainly not safe for use with quality security systems (eg, encryption systems). Passphrases are a better choice. First, they usually are (and always should be) much longer — 20 to 30 characters or more is typical, making some kinds of brute force attacks entirely impractical. Second, if well chosen, they will not be found in any 'phrase or quote dictionary', so such dictionary attacks will be impossible. Third, they can be so structured as to be more easily rememberable than passwords without being written down, reducing that risk as well. They can be, thus, considerably more 'secure'.
Choosing a passphrase
Picking a good passphrase is one of the most important things you can do to preserve the privacy of your computer data and e-mail messages. A passphrase should be:
- Known only to you
- Long enough to be hard to guess (eg, automatically by a search program, as from a list of famous phrases) This also implies that famous quotations from literature, holy books, et cetera should not be chosen regardless of length.
- Hard to guess by intuition -- even by someone who knows you and facts about you well
- Easy for you to remember and type accurately
One reasonable way to create a passphrase is to use dice to select words at random from a long list, a technique often referred to as diceware. While such a collection of words might appear violate the "not from any dictionary" rule, the security is based entirely on the large number of possible ways to choose from the list of words and not from any secrecy about the words themselves. If there are 7776 words in the list (as is the case with the Diceware word list ), and six words are chosen randomly, then there are 7776 X 7776 X 7776 X 7776 X7776 X 7776 = 221073919720733357899776 possibilities, providing about 78 bits of entropy.
Another is to choose two phrases, turn one into an acronym, and include it in the second, making the final passphrase. For instance, using two English language typing exercises, we have the following. The quick brown fox jumps over the lazy dog, becomes tqbfjotld. Including it in, Now is the time for all good men to come to the aid of their party, might produce, Now is the time for all good tqbfjotld to come to the aid of their party as the passphrase.
There are several points to note here, all relating to why this example pass phrase is NOT a good one.
- it has appeared in public and so should be avoided by everyone.
- it's long (which is a considerable virtue in theory) and requires a good typist (which is an overwhelming problem for most folks in actual practice). (Whatever software is accepting the passphrase for testing should never echo it to your display, lest shoulder surfers take advantage.) Typing errors are much more likely under such conditions, especially for extended phrases.
- it doesn't contain any non-alphabetic characters. Converting, say, the 'l' (Latin small letter L) in the acronym to a '1' (digit one) would be an improvement.
- individuals and organizations serious about cracking computer security have compiled lists of passwords derived in this manner from the most common quotations, song lyrics, and so on.
The PGP Passphrase FAQ by Randall T Williams suggests a procedure with a better balance between theoretical security and practicality than this example. All procedures for picking a passphrase involve a tradeoff between security and ease of use; security should be at least 'adequate' while not 'too seriously' annoying users. Both criteria should be evaluated to match particular situations.
The contents of this article is licensed from www.wikipedia.org under the GNU Free Documentation License. Click here to see the transparent copy and copyright details