Passphrases and Passwords

Good methods for increasing password security.

Passwords are critical components of both offline and online security. The usefulness of passwords has seen password-based authentication implemented in almost every aspect of computer operation. As such, it is paramount to understand to make strong memorable passwords. In this article we will be discussing password complexity, password length, password storage, passphrase usage, password managers, and multi-factor authentication.

Password complexity is a simple metric by which we can judge the difficulty of guessing any given password. Password complexity is often calculated by determining the number of possible values for each character and raising its exponent to the length of a password in characters. For example, on a US keyboard there are about 96 typeable characters that you can use in a password. If you were to make a 10-character password on a US keyboard, we know that the odds of someone guessing a specific password are 1 in 9610. This is the very reason that most websites require you to use special characters numbers, and capital/lower-case letters in your passwords.

When choosing the length of any password, there are three primary considerations: The time required for typing the password, the maximum size of a password which you can easily remember, and the speed at which someone can attempt to guess a password. You can determine the maximum size of an easily memorable password by writing down a test password of a given length, and then trying to remember it one hour later. The length and typing-complexity of any password will determine how much time it takes to use and how often a typo will occur during use. Overly difficult to type passwords have the potential to cost you hours of time each week depending on the circumstance. Last, but not least, it is important to determine the maximum rate at which someone or something can try to guess your password. If a password can only be guessed 3 times per hour, a 10 digit numeric passwords should remain secure for years. But if a computer is allowed to guess passwords millions of times per second, you will need a much more complex password to ensure it remains secure.

The most secure way to store your passwords is through memorization, but there is an upper limit for how many passwords a single person can remember. Password storage allows you to utilize far more passwords than you could reliably remember by keeping some of your passwords stashed away for when you need them. There are several good methods for storing passwords, you can utilize both physical storage, digital storage, or a combination of the two. Physical password storage follows the same principles for any other secure storage method. You can lock passwords away in a safe or a lock-box, or you could hide them somewhere where only you would find them. The alternative to physical storage is digital storage. Digital storage is accomplished through the encryption of a file or portions of a file which contains the passwords you need to store. This way you can access multiple stored passwords while only having to remember the master passwords for the decryption. These methods can by combined by storing encrypted passwords on removable storage, and then securely storing the removable storage in a safe place.

Now that we know the reasoning behind password use, we can consider a higher-level approach to password creation. This higher-level approach is often referred to as passphrase creation. It is a method for forming much longer passwords while allowing each password to still be easily remembered. Passphrase creation follows a simple principle of keyword substitution. Instead of choosing a single letter or number for each character as you make a password, you would instead pick an entire word or larger number to replace it.

For our example we will use the example password: “T1rNi5”. Now this isn’t a bad password, but it is fairly week. Instead let’s choose a phrase with the same number of key elements as that password: “Texas is really nice in spring”. Both of these passwords have the same number of elements that you need to remember, but the passphrase is significantly larger, and thus much harder to guess through a brute-force methodology.

The passphrase methodology, on its own, allows for some level of additional security with minimal effort, but it does have a key weakness: It is highly vulnerable to dictionary-based attacks in its default state. This means that a computer which is randomly guessing word combinations would find our example passphrase very easy to guess. Luckily this can be easily mitigated by modifying our passphrase through the inclusion of additional numbers, letters, and special characters. The way in which you add additional detail will need to be unique to you. Throwing an exclamation point at the end of your password really doesn’t buy that much extra complexity since so many other people do the same thing. In our example I will follow a couple rules that are easy for me to remember: I will replace every other space with an underscore, all of the “e”s will be replaced with threes, and I will add punctuation. The resulting passphrase of “T3xas is_r3ally nice_in spring.” is far more secure and just as memorable as before, presuming that my password alteration rules remain the same. You will need to take some time to develop your own alteration rules as you see fit. Remember, the way that you create any password or passphrase should remain as much a secret as the passwords and passphrases themselves.

Now that we know how to make very durable passwords and how to store them safely, we should consider that there are tools which can do both of these processes for us. The tools I am referring to are called password managers, and they can provide a means to not only create extremely durable passwords, but also a means to store them very securely. The way most password managers work is through a master key system. You are required to keep the encrypted password file safely stored somewhere, and the password manager decrypts that file using the master key you provide it with. The password manager then decrypts each of the passwords from the file that you requested and organizes them so they are easy to access. Most password managers are also capable of generating very long and complex passwords. The primary concerns regarding password managers is their systemic security flaws, and their longevity. If the system that the password manager is stored on is compromised, there is a very high chance that the password manager can be compromised as well. This would not only compromise one password, but all the passwords which are stored by the password manager. There is also the risk of data corruption, so backups of your password manager’s database should be made and stored elsewhere in order to retain the long-term use of those passwords.