Passwords

Password or Passphrase?

Whatever the name, Password, Key, Passphrase, Code, etc., the sequence of characters used to encrypt your data serves the same purpose: Jumble your files to protect their contents.

So why oppose Passphrases to Passwords?

Simply because it is much easier to memorise selected passages of a song, lines of a poetry or a tragedy learnt at school, a short excerpt of a novel, a few words of a joke, etc. than a succession of 8 to 10 signs such as Yx0h%YFlq0 or v8kr*c?wH^. If memorizing such a sequence is not a problem for you, it will make up an excellent Password, at least as strong as a Passphrase. But if you have to write it down somewhere to remember it, all the security brought by the complexity of such a Password will be compromised by the risks of having it discovered; do not under-estimate hackers' talent and inventiveness!

The choice is yours. But whether you decide to use a Passphrase or a Password, please read below the tips to build strong Passwords and Passphrases. These tips also apply to the identification sequences asked by Windows, starting with the session log in.

CryptUp has only one limit: the inventiveness and confidentiality of your encoding keys!

Some Fundamentals

You need to understand the difference between Password guessing and Password cracking.

Password guessing is when someone sits at the console or at a remote machine trying different sequences. To avoid guessing, do not use your name, first name, title, phone number neither the ones of your relatives nor your pet's!

A password can be a simple word such as "Encryption" or a sequence of random characters made of upper and lower case letters, numbers and symbols such as cZl0=_*V6.

It is obvious that the Password "Encryption" is easier to guess than the sequence cZl0=_*V6. Password crackers use different techniques among which the intelligent search, attacks using a dictionary or brute force attacks testing all possible characters combinations. If the hacker using such tools has enough time, he can crack any password. But cracking a strong password can take a large, a very large amount of time!

Given today's computing power, a strong password (cf. definition here) made of 8 characters would take theoretically 6 years to be cracked! On the other hand, the same strong password, but made of only 7 characters would take no more than 28 days to be cracked! Not to mention simple passwords like "Encrypt", "John" or "pussycat" that would not resist more than a few seconds! From which it follows that one must respect a few simple rules when creating his/her Password or Passphrase.

Please note
On the x86 platform, each character of the normal US/Western European character set is usually stored in a Byte (8 bits). So, to generate a 64-bit key, you will have to type in 8 characters (8x8=64). Thus to generate a 128-bit password, you will have to enter a sequence of 16 characters (16x8=128), and so forth. Now that is the theory! In practice, if you only type in alphanumeric characters, those being coded on 7 bits (the 8th is always set to 0), generating a 128 significant bits password involves a 19 character string. What's more, each character will have to be searched among 127 combinations instead of 255 (maximum capacity of a Byte if you exclude the NULL BYTE that stores a null value - or zero - generally used internally to indicate the end of a string). This is one of the main reasons why it is essential to add symbols to your Passwords or Passphrases.
However, this does not, strictly speaking, apply to CryptUp that builds it's own key from your Password or Passphrase. Nevertheless, the length of the Password or Passphrase remains an important security factor.

Password vs Passphrase

While no one can conclusively answer the question of whether Passphrases are stronger than Passwords, math and the logic appear to show that a 5 or 6-word Passphrase is roughly as strong as a completely random 9-character Password as far as you follow the rules formulated in What makes a good Passphrase.

Since most people are better able to remember a 6-word Passphrase than a totally random 9-character password, Passphrases seem to be better than Passwords.

In addition, by adding some substitutions and misspellings to a Passphrase, users can significantly strengthen it, which is not possible with a totally random 9-character Password.

What makes a good Passphrase

First, a Passphrase needs to be more than 4 words long, preferably at least 6, to be as strong as a totally random password.
Second, the words should not be short. Short words can be cracked very efficiently with standard Password crackers.
Third, character substitutions and/or misspellings considerably strengthen the Passphrase (which is not possible with a Password). You can also include some spaces, and/or exclude others, to increase even more the level of strength.
Fourth, the sentence need not be intelligible. In fact, it is harder to crack a Passphrase if it is not.
Finally, using a combination of upper and lower case letters, and including numbers and symbols, is absolutely essential.

What makes a good Password

Although it may take 6 years, given today's computing power, to crack an 8-character password, a bad password can be cracked in a few seconds! So, what makes a good password will you ask?

It must be at least 8 characters long.
It must be a sequence of random characters made of upper and lower case letters, numbers and symbols.
Preferably, the symbols should not be selected from those above the numbers on the keyboard. Those are the first symbols attackers try.

Bibliography: Jesper M. Johansson, Ph.D., ISSAP, CISSP Security Program Manager, Microsoft Corporation, "The Great Debates: Pass Phrases vs. Passwords". http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx