Endpoint // Authentication
1/10/2012
00:37 AM
Connect Directly
RSS
E-Mail
50%
50%

Passphrases A Viable Alternative To Passwords?

Some experts say they are, but technological and cultural issues bar the path to passphrases

Two-factor authentication might be a great way to bolster log-in processes across the enterprise and even on the Web, but when it comes down to it, the typical authentication process using something someone knows -- typically a password -- isn't going anywhere any time soon. Nevertheless, some security professionals wonder whether it is time that the industry take stock: They think organizations should at least consider replacing these difficult-to-remember, difficult-to-secure jumble of alphanumeric characters with more memorable and secure passphrases.

Sure, passphrases are not as secure as a token or some other two-factor authentication method, but they're more secure than "12345" and much easier to remember than some strange concoction like "b4x87g-m." While it might be tempting to blame end users for coming up with crummy passwords, Nick Selby, a Texas police officer and managing director of enterprise security consultancy TRM Partners, believes the problem is not because users are too dumb to absorb security training, but because security practices put them in an impossible situation.

"What can't be trained is demanding that people use something which is impossible to remember -- and then demanding that they remember that. And attendant with that is not writing it down. You can't remember it, and you can't write it down," Selby says. "Is that a user issue? I don't think so."

His argument is that passphrases, such as a sentence from a favorite book -- are easier to remember and harder to crack than most passwords today, even without special characters. Many within the industry back him.

“Passphrases are a much better solution to shared secrets compared to simple one-word passwords," says Phil Lieberman, president of Lieberman Software. “Making passphrases more secure than one-word passwords is simple mathematics. The ability to reverse a single-word password is simply a matter of the length of the password itself -- hash lookups. By having the phrase go beyond 14 characters in length makes hash lookups very expensive. Fundamentally there are very few long English single words that are memorable, but a phrase or sentence is easy to create and remember that goes beyond the 14 or so characters in length.”

Abbas Haider Ali agrees, explaining that even without any special characters, a long passphrase keeps brute-force attacks at bay far better than a shorter mix of alphanumeric soup.

"I like to use the How Secure Is My Password site as a litmus test of how secure a password is," says Ali, vice president and technology evangelist for xMatters, a relevance engine firm. "[According to the site], 'b4x87g-m' would would take two days to crack. My random pass phrase of 'This password is easy to remember, and crazy to break!' would take 36 octovigintillion years to break."

So what's the hold up? Why aren't organizations using passphrases if they're more difficult to hack? According to Ali, a lot of the problem is the cultural view that shorter is easier to remember and that increasing complexity is better than increasing length, in spite of research that users can remember passphrases more easily and proof that it is harder to crack longer passphrases.

"That's where we continue to see that rules that force complexity instead of recognizing research that clearly shows that length would be better," Ali says. "I've seen capital letters, special characters, numbers, common word checking, 'leet' character replacement, etc. -- all futile and painful, to boot."

According to Selby, the reluctance to transition to passphrases is partially due to the security industry becoming a victim of its own success.

"For years, talking heads have said that the key, the foundation, the bedrock to good security is a strong password: mixed upper- and lowercase, at least eight characters, including special characters and numbers that no one can remember and use," Selby says. "Great. So everybody believes it. Now what's the point in investing in passphrases?"

[Craft a strong enough yet manageable authentication strategy . See Tech Insight: A Practitioner's Guide To Authentication.]

This attitude has manifested itself into technical limitations that are "reinforced over again since no one big tech company or provider has decisively broken ranks," Ali says.

There is a wish among some enterprise users that they could institute phrases, but they're experiencing a technology lag within the software and identity management worlds that stymies the urge

"One reason [organizations don't use passphrases] is the number of software applications that do not support long or complex passphrases," says J. Wolfgang Goerlich, network operations and security manager for a midwest financial services firm. "Length and special characters seem to be a challenge for some vendors. Sometimes referred to as technological debt, many IT departments must maintain a suite of apps that have not been updated with modern security recommendations."

That's not to say there is no technology whatsoever that supports passphrases. It does exist, says Mike Meikle, CEO of the Hawkthorne Group, who points to Microsoft Active Directory's LDAP solution's support of 128-character passwords as an example.

"Application developers have to be encouraged to ensure their applications support this shift, users have to be educated on the benefits, and senior leadership has to be made aware of the solutions that are currently available to make an effective transition from password to passphrase," Meikle says.

It is not nearly a button-press transition, either.

"We are continually fighting tomorrows battles with yesterday's or yesteryear's technology or technological approaches and philosophy," Selby says. "It just means you have to rearchitect something to accommodate a passphrase and not a password. Try typing a space into half the things you sign up for on the Internet and you break it."

Organizations need to change user interfaces if they want to make it easy for users to enter longer phrases that might be more prone to fat-finger mistakes, perhaps dropping some of the conventions of today's password entry interface.

"I know that the bullets or stars are there to prevent someone from shoulder-surfing your password, but they really make it hard to use passwords of more than about a dozen characters in length," says Andrew Brandt, director of Threat Research at Solera Networks Research Labs. "How on earth would anyone know, after typing a 50- to 60-character phrase that is obfuscated with bullets, where the typo is? I certainly don't want to have to type the opening monologue from Hamlet five times just to log back in after lunch. "

What's more, it isn't just technology that needs to change. So do password policies, says Nishant Kaushik, chief architect of Identropy. As he explains it, good password policies often introduce requirements like use of mixed case, numbers, and special characters.

"Incorporating these into a passphrase is actually quite hard for users and makes them quite unusable [because] it's difficult to remember the correct substitutions," he says. "Password policies are a necessary protection factor introduced by many applications/security tools to ensure higher complexity and therefore lower guessability [or] crackability when combined with lockout policies. We still haven't figured out a way to define password policies that are passphrase-friendly."

However, it might be worth the extra effort. Marcus Carey, security researcher at Rapid7, agrees with Selby that organizations need to roll up their sleeves and start finding creative ways to tackle both the cultural and technological obstacles for passphrases.

"For a long time, the security industry has told organizations that short, complex passwords are better. It's hard to teach an old dog new tricks, and there are certainly those in the security industry that can't admit, 'Hey, what we’ve been telling you for years is actually not that effective.' Also, software such as identity management solutions would have to be rewritten and updated to support longer text strings," he says. "I think we should think about alternatives to the user login interface -- for example, a login interface where a user could enter a series of simple words which makes up a larger passphrase."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mya
50%
50%
Mya,
User Rank: Apprentice
1/11/2012 | 11:37:00 AM
re: Passphrases A Viable Alternative To Passwords?
Hello,
-á-á-á-á-á-á-á-á Its been an amazing content in your blog and yup i agree with Two-factor authentication which you are giving because after using Two-factor authentication for my own organizational industry its been so great to work as a place and for the employees . In our industry we use "COMODO" Two factor Authentication for enterprises.I particularly choose this because of various success criteria like "If preventing a cyber-attack and maintaining your company's reputation is a concern" I have choose COMODO Two-factor authentication.
jerry shenk
50%
50%
jerry shenk,
User Rank: Apprentice
1/10/2012 | 8:56:08 PM
re: Passphrases A Viable Alternative To Passwords?
Passphrases really aren't that much work?-á Something like, "Passphrases are more secure." - upper/lower case, special carachters (period and space) and the length is pretty good too.-á It's just one sentance...you typed 5 sentances as a comment about how much work a passphrase would be.
Myself248
50%
50%
Myself248,
User Rank: Apprentice
1/10/2012 | 8:50:10 PM
re: Passphrases A Viable Alternative To Passwords?
What, no love for XKCD?-á
http://xkcd.com/936/-á-áNot only does Randall Munroe give a better example, he explains the math behind the entropy calculation. If an attacker has a hunch that the phrase is composed of english text, the difficulty quickly falls from 36 octovigintillion years, but it's still much better than p4ss?!w3rd. (Visit the xkcd forums and see the thread for that comic, for a much more in-depth analysis.)

Is there a name-and-shame venue for companies handling sensitive data with laughably inept password parameters? Limit of 8 characters on a banking website just gives me the creeps.
spetricig105
50%
50%
spetricig105,
User Rank: Apprentice
1/10/2012 | 5:15:45 PM
re: Passphrases A Viable Alternative To Passwords?
The problem with long passphrases is exactly that - they're long. -áThis means more typing, and if I have to enter my passphrase in multiple systems or at multiple interfaces, that's going to be a lot of time spent typing. -áEspecially if I make a mistake, which a longer passphrase makes more likely. -áDon't get me wrong, I'm a security professional, and I totally support stronger authentication.. I just think there has to be a better way than passwords OR passphrases.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.