{"id":318,"date":"2009-06-01T09:33:57","date_gmt":"2009-06-01T14:33:57","guid":{"rendered":"http:\/\/vgable.com\/blog\/2009\/06\/01\/pass-phrases-not-passwords\/"},"modified":"2009-06-22T02:13:53","modified_gmt":"2009-06-22T07:13:53","slug":"pass-phrases-not-passwords","status":"publish","type":"post","link":"https:\/\/vgable.com\/blog\/2009\/06\/01\/pass-phrases-not-passwords\/","title":{"rendered":"Pass Phrases, Not Passwords"},"content":{"rendered":"<p><a href=\"http:\/\/www.baekdal.com\/articles\/Usability\/password-security-usability\/\">Thomas Baekdal makes a convincing argument for using pass-<em>phrases<\/em> not pass<em>words<\/em><\/a> (<a href=\"http:\/\/delicious.com\/hublicious\">via<\/a>). It&#8217;s excellent advice, and I know I&#8217;m not alone in having advocated it for years. <\/p>\n<p>My keyboard has 26 letters, 10 numbers, and 12 symbol keys, like ~. All but spacebar make a different symbol when I hold down shift, giving me 93 characters to use in my passwords. But <strong> the number of words that can make-up a pass-phrase is <em><a href=\"http:\/\/en.wikipedia.org\/wiki\/English_language#Number_of_words_in_English\">easily<\/a><\/em> in the 100,000s<\/strong>. Estimating exactly how big is a bit tricky, but I will stick with 250,000 here (I think it&#8217;s an <em>undercount<\/em>, more on this later).<\/p>\n<h3>We Know How To Talk<\/h3>\n<p>The human brain has an <em>amazing<\/em> aptitude for language. But &#8220;passwords&#8221; aren&#8217;t really words, so they don&#8217;t tap into this ability. In fact, <strong>we often use <em>words<\/em> to try and remember the nonsense-characters of a password<\/strong>.<\/p>\n<p>Wouldn&#8217;t it make more sense to just use the words directly, if we can remember them more easily?<\/p>\n<h3>Hard For Computers, Not Hard For Us<\/h3>\n<p><strong>People <em>feel<\/em> that if security system A is harder for them to use then system B, then A must be harder for an attacker to bypass<\/strong>. But the facts don&#8217;t always match this intuition.<\/p>\n<p>What authentication code do you think is harder for a bad guy to hack, the 7 character <a href=\"http:\/\/strongpasswordgenerator.com\/\">strong password<\/a> &#8220;1Ea.$]\/&#8221;, or the mnemonic for the first 3 characters, &#8220;One Elvis Amazon&#8221;? Certainly &#8220;1Ea.$]\/&#8221; is harder for a person to remember. It <em>feels<\/em> like it <em>should<\/em> be harder to break. But a computer, not a person, is going to be doing the guessing, and all it cares about is how big the search space is. There are 93<sup>7<\/sup> possible 7 character passwords. Let&#8217;s say there are 250,000 possible English words (more on that figure later). Then there are 250,000<sup>3<\/sup> 3 word combinations &#8212; meaning an attacker would have to do 260 <em>times<\/em> more work to guess &#8220;One Elvis Amazon&#8221; than to guess &#8220;1Ea.$]\/&#8221;.<\/p>\n<p>With pass phrases, easier for the good guys is also harder for the bad guys.<\/p>\n<h3>Exactly How Much Harder<\/h3>\n<p>The &#8220;250,000 word&#8221; figure is a bunch of hand-waiving, but I believe it&#8217;s an <em>undercount<\/em>. I picked it, because I wanted a round number to crunch; <a href=\"http:\/\/www.baekdal.com\/articles\/Usability\/password-security-usability\/\">it&#8217;s what Thomas Baekdal<\/a> picked; and it&#8217;s about the size of <a href=\"http:\/\/en.wikipedia.org\/wiki\/Words_(Unix)\">the Mac OS X words file<\/a>,<\/p>\n<pre>\n$ wc -l \/usr\/share\/dict\/words \n  234936<\/pre>\n<p>But liberally descriptive linguists say that <a href=\"http:\/\/www.languagemonitor.com\/?p=368\">the 1,000,000th word will be added to the English Language on June 10th, 2009<\/a>. The more conservative <cite>Webster&#8217;s Third New International Dictionary, Unabridged<\/cite> list 475,000 English words. Obviously <strong>neologisms, slang, and archaic terms are fine for pass phrases<\/strong>. People <em>like<\/em> <a href=\"http:\/\/www.google.com\/search?rls=en-us&#038;q=word+of+the+day&#038;ie=UTF-8&#038;oe=UTF-8\">discovering quirky words<\/a>. I see far more more people embracing the login, &#8220;kilderkin of locats&#8221;, then rejecting it.<\/p>\n<p><strong>Different conjugations (can) count as different words in pass-phrases.<\/strong> There&#8217;s only one entry in a dictionary for swim, but swim, swimming, swam, etc. make for distinct pass-phrases (eg. &#8220;Elvis <strong>swims<\/strong> fast&#8221;, &#8220;Elvis <strong>swam<\/strong> fast&#8221;, etc. Both phrases don&#8217;t show up in a google search by the way.) So <strong>the real number of words should be a few fold larger than a dictionary indicates<\/strong>.<\/p>\n<p>But <strong>not all words are equally likely to be chosen<\/strong> &#8212; just as <a href=\"http:\/\/www.schneier.com\/blog\/archives\/2006\/12\/realworld_passw.html\">some characters are more popular in passwords<\/a>. My earlier figure of &#8220;250000<sup>3<\/sup> 3 word combinations&#8221; was based on the naive assumption that each of the 3 words is <a href=\"http:\/\/en.wikipedia.org\/wiki\/Independent_variable\">independent<\/a>. But <a href=\"http:\/\/scienceblogs.com\/cognitivedaily\/2007\/02\/is_17_the_most_random_number.php\">people do not pick things at random<\/a>. And a phrase is <em>by definition<\/em> not completely random &#8212; it must have <a href=\"http:\/\/en.wikipedia.org\/wiki\/Subject_Verb_Object\">some structure<\/a>. I&#8217;m unaware of research into exactly how predictable people are when making-up pass-phrases. <\/p>\n<p>But given how <em>terrible<\/em> we are at picking good passwords, and how good we are at remembering non-nonsense-words, I am optimistic that we can remember pass-phrases that are orders of magnitude harder to guess than the &#8220;good&#8221; passwords we can&#8217;t remember today.<\/p>\n<h3>Fewer Ways To Fail<\/h3>\n<p>We&#8217;ve all locked ourselves out of an account because of typos or <a href=\"http:\/\/imlocation.wordpress.com\/2007\/07\/28\/caps-lock\/\">caps lock<\/a>. But pass-phrases can be more forgiving.<\/p>\n<p>Pass-phrases are case<em>in<\/em>sensitive. There&#8217;s no need to lock someone out over &#8220;ELvis&#8230;&#8221;.<\/p>\n<p>Common typos can be auto-corrected, much as google automatically suggests words. Consider the authentication attempt &#8220;Elvis <em>Swimmms<\/em> fast&#8221;. The system could recognize that &#8220;Swimms&#8221; isn&#8217;t a word, and try the most likely correction, &#8220;Elvis <strong>Swimms<\/strong> fast&#8221; &#8212; if it matches, then there&#8217;s no reason to ask the user if it&#8217;s what they really meant. (Note that only one pass-phrase is checked per login attempt.) I don&#8217;t have hard data here, but given how successful google is at interpreting typos, I&#8217;d expect such a system to work very well.<\/p>\n<p>Pass-phrases might be more difficult on Phones, and similarly <a href=\"http:\/\/rands.tumblr.com\/post\/93333051\/roughly-30-apology\">awkward to write with<\/a> devices. Writing more letters means more work. <a href=\"http:\/\/en.wikipedia.org\/wiki\/Predictive_text\">Predictive text<\/a> can only do so much. Repeatedly typing 3 letters <em>and<\/em> accepting a suggestion is clearly more work then just tapping out 6 characters. Additionally, there are security concerns with a predictive text system remembering your pass-phrase, or even a small part of it. <\/p>\n<p>But for computers, pass phrases look like a clear usability win.<\/p>\n<h3>Easily Secure Conclusion<\/h3>\n<p>(In case you were wondering <a href=\"http:\/\/www.google.com\/search?hl=en&#038;q=%22Easily+Secure+Conclusion%22&#038;btnG=Search&#038;aq=f&#038;oq=&#038;aqi=\">that was a unique phrase<\/a> when I wrote this.) Using pass-<em>phrases<\/em> over passwords (which are really pass-strings-of-nonsense-sybols-that-<a href=\"http:\/\/www.schneier.com\/blog\/archives\/2005\/06\/write_down_your.html\">nobody-can-remember<\/a>) makes a system significantly harder to crack. Pass-phrases are easier for humans to remember, and a system that uses them can be very forgiving. But as always, the devil is in the details. It&#8217;s terrifying to be an early adopter of a new security practice, even if it seems sound.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thomas Baekdal makes a convincing argument for using pass-phrases not passwords (via). It&#8217;s excellent advice, and I know I&#8217;m not alone in having advocated it for years. My keyboard has 26 letters, 10 numbers, and 12 symbol keys, like ~. All but spacebar make a different symbol when I hold down shift, giving me 93 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,11,42,8],"tags":[297,187,434,311,433],"class_list":["post-318","post","type-post","status-publish","format-standard","hentry","category-accessibility","category-research","category-security","category-usability","tag-authentication","tag-english","tag-pass-phrases","tag-password","tag-randomness"],"_links":{"self":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/comments?post=318"}],"version-history":[{"count":0,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/318\/revisions"}],"wp:attachment":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/media?parent=318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/categories?post=318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/tags?post=318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}