| |
Password or Passphrase?
Whatever the name, Password, Key, Passphrase, Code, etc.,
the sequence of characters used to encrypt your data serves the
same purpose: Jumble your files to protect their contents.
So why oppose Passphrases to Passwords?
Simply because it is much easier to memorise selected passages of a song, lines
of a poetry or a tragedy learnt at school, a short excerpt of a novel, a few
words of a joke, etc. than a succession of 8 to 10 signs such as Yx0h%YFlq0 or v8kr*c?wH^.
If memorizing such a sequence is not a problem for you, it will make up an
excellent Password, at least as strong as a Passphrase. But if you have to write it down
somewhere to remember it, all the security brought by the complexity of
such a Password will be compromised by the risks of having it discovered; do not
under-estimate hackers' talent and inventiveness!
The choice is yours. But whether you decide to use a Passphrase or a Password,
please read below the tips to build strong
Passwords and Passphrases. These tips also apply to the identification sequences
asked by Windows, starting with the session log in.
CryptUp has only one limit: the inventiveness and confidentiality of your
encoding keys!
Some
Fundamentals
You need to understand the difference between Password guessing and
Password cracking.
Password guessing is when someone sits at the console or at a remote machine trying
different sequences. To avoid guessing, do not use your name, first name, title, phone number neither the ones of your relatives nor your pet's!
A password can be a simple word such as "Encryption" or a sequence of random characters made of upper and lower case letters, numbers and
symbols such as
cZl0=_*V6.
It is obvious that the Password "Encryption" is easier to guess than
the sequence
cZl0=_*V6. Password crackers use different techniques among which the
intelligent search, attacks using a dictionary or brute force attacks testing
all possible characters combinations. If the hacker using such tools has enough time, he can
crack any password. But cracking a strong
password can take a large, a very large amount of time!
Given today's computing power, a strong password (cf. definition here)
made of 8 characters would take theoretically 6 years to be cracked! On
the other hand, the same strong password, but made of only 7 characters would take
no more than 28 days to be cracked! Not to mention simple passwords like "Encrypt",
"John" or "pussycat" that would not resist more than a few
seconds! From which it follows that one must respect a few
simple rules when creating his/her Password or Passphrase.
Please note
On the x86 platform, each character of the normal US/Western European character
set is usually stored in a Byte (8 bits). So, to generate a 64-bit key, you
will have to type in 8 characters (8x8=64). Thus to generate a 128-bit password,
you will have to enter a sequence of 16 characters (16x8=128), and so forth. Now
that is the theory! In practice, if you only type in alphanumeric
characters, those being coded on 7 bits (the 8th is always set to 0),
generating a 128 significant bits password involves a 19 character string.
What's more, each character will have to be searched among 127 combinations
instead of 255 (maximum capacity of a Byte if you exclude the NULL BYTE that
stores a null value - or zero - generally used internally to indicate the end of
a string). This
is one of the main reasons why it is essential to add symbols
to your Passwords or Passphrases.
However, this does not, strictly speaking, apply to CryptUp that builds it's own key from
your Password or Passphrase. Nevertheless, the length of the Password or
Passphrase remains an important security factor.
Password vs
Passphrase
While no one can conclusively answer the question of whether Passphrases are stronger than
Passwords, math and the logic appear to show that a 5 or 6-word Passphrase is roughly as strong as a completely
random 9-character
Password as far as you follow the rules formulated in What makes a good
Passphrase.
Since most people are better able to remember a 6-word Passphrase than a totally
random 9-character password,
Passphrases seem to be better than Passwords.
In addition, by adding some substitutions and misspellings to a
Passphrase, users can significantly strengthen it, which is not possible with a totally
random 9-character
Password.
What
makes a good Passphrase
-
First, a Passphrase needs to be more than 4 words long, preferably
at least 6, to be as strong as a totally random password.
-
Second, the words should not be short. Short words can be cracked very efficiently with standard
Password crackers.
-
Third, character substitutions and/or misspellings considerably strengthen the
Passphrase (which is not possible with a Password). You can also include some spaces,
and/or exclude others, to increase even more the level of strength.
-
Fourth, the sentence need not be intelligible. In fact, it is harder to crack a
Passphrase if it is not.
-
Finally, using a combination of upper and lower case letters, and including numbers and
symbols, is
absolutely essential.
What
makes a good Password
Although it may take 6 years, given today's computing power, to crack an 8-character password, a bad password can be cracked in a few seconds! So, what makes a good password will you ask?
-
It must be at least 8 characters long.
-
It must be a sequence of
random characters made of
upper and lower case letters, numbers and symbols.
-
Preferably, the
symbols should not be selected from those above the numbers on the keyboard.
Those are the first symbols attackers try.
Bibliography: Jesper M. Johansson,
Ph.D., ISSAP, CISSP Security Program Manager, Microsoft Corporation, "The Great Debates: Pass Phrases vs.
Passwords". http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx
See also
Should
I save my keys?
Decrypt the selected items
Shred the selected items
Copyright ©
2006 CryptUp Soft. All rights reserved.
|