
Some evidence on multi-word passphrases - fuzzix
http://www.lightbluetouchpaper.org/2012/03/07/some-evidence-on-multi-word-passphrases/
======
ttt_
The real problem of passwords in general is the complete lack of a standard to
what a password can be. Basically every service with a login reinvents the
whole damn thing with completely arbitrary rules that are incompatible with
each other. Minimun and maximun length, case-sensitivity, digits, letters,
special characters, spaces.

Ok, after reading a lot about passwords I decide that I'm gonna go with a
condensed passphrase more than 10 characters long and with a couple service-
contextual caharcters in the end. That oughta keep me safe right? Well, except
I have to pick a 6-8 length password that MUST have a number AND a capitalized
letter in it!

~~~
wisty
Silent truncation is another gotcha. They drop everything after character 8
(so it fits in the database?). Then they change the schema, and stop
truncating at 8 characters, but only on some forms. Oh, the joy.

~~~
ovi256
MSN and Hotmail used, and maybe still do this, after 14 characters.

~~~
bwooce
My bank does it after 6! It even reminds you that it is 6 chars max on the
login page.

------
lhnz
Everybody is dancing around reality: passwords are incompatible with the
average person. The best passwords are almost always difficult to memorize and
once they are memorized it is costly for us to change them. It's an ill-
fitting solution to a social problem.

~~~
danieldk
That's why password managers are so useful. For every service a user can use a
different strong password, but for the user there is only one password.

Of course, password managers have their weaknesses (a compromised system will
often give access to all accounts, rather than just a few), but it is far more
secure than having people using the same trivial password for every service.

~~~
pnathan
Also, if you forget your password to the password manager... :)

~~~
drucken
It is a single password/pass phrase. This makes it simple to manage.

You can easily create a simple paper and geographically-redundant system (e.g.
using a one-time pad) that means you can keep the passphrase in the open, for
example, in your wallet or purse.

Password managers are the only way to go and eventually all
password/passphrase users realise this because they end-up emulating these
systems anyway (e.g. using extemely poor entropy additions to their existing
passwords for different applications).

------
TheCapn
This doesn't actually surprise me. If you consider the role of random brute
forcing via dictionary attacks is to locate the appropriate order of _tokens_
that work together to create a coherent meaning you're essentially not
providing any more security with more words. A "Password" is a phrase composed
of tokens that are the alphabet, numbers, symbols. A "Passphrase" is composed
of tokens that are known english words. By taking the corpus search method to
determine natural phrases they're essentially trying to identify the total
breadth of 2+ token combinations that make up the english language.

This does break down like they said when you stop using coherent meanings. A
passphrase that is HorseQuoteBulb would be hard to guess in comparison to
HorsesEatHay or something of the same style.

The same goes for passwords: while it may be easy to guess a password as "
_phrase_ " it suddenly becomes a lot more difficult to randomly attempt
guesses at " _7_-Az!e_ ".

Eventually I think we'll all be forced to use two factor authentication for
added security. Here the user is mostly safe from their own ignorance where
the danger of having credentials stolen is more prominent in the form of Man
in the Middle attacks.

------
napoleoncomplex
As with normal passwords, you will have people completely disregarding any
advice on how a password should look like. People will just slowly learn that
having a faulty security system on the web is the same as it is in real life.
You don't put a curtain as your front door, and you shouldn't put "Harry
Potter" as your passphrase, especially if you are holding a wand in your
Facebook photo.

In my case, I use multi-word passphrases with words from a obscure dialect of
a tiny European country's language. Being a dialect I grew up with, it has the
benefit of being easy to remember, and the obscureness of it means the phrases
itself are more or less a random string of characters to any brute-force
attack. Not exactly a "best practice" for anyone but myself, but I'm happy
with it :).

------
16s
diceware is very good for these sort of passwords. I have no affiliation, but
would use it for passphrases if I needed to.
<http://world.std.com/~reinhold/diceware.html>

------
gizzlon
Interesting read.. Assuming people would choose random words in their
passphrases always seemed too simplistic and naive.

~~~
user24
It doesn't even have to be random, simply choosing "SimplyChoosing" or
"AssumingPeople" is way more secure than "ManchesterUnited" or "HarryPotter",
but still people are creatures of habit.

~~~
gizzlon
True, but when calculating entropy people often assumes random choice of words

~~~
cpeterso
The system can let the user choose from a selection of random passphrases.

~~~
user24
massive reduction in entropy.

