The Pros and Cons of Passphrase Login
By Ryan Norchi
February 15, 2021
Everyday, would-be and soon-to-be hackers alike are gearing up to break into the data of millions of people while cybersecurity professionals are paid to bear down on them from the other side. In this ongoing struggle between those trying to steal private information, and those whose job is to protect it, there remains one oft-overlooked, yet vulnerable gap in the armor that no amount of money can pay to fix. While it remains difficult to hack into many systems without a password, one of the weaker links in your information technology system is the end-user password. As extreme of a metaphor that this may be, it nevertheless remains difficult to ensure that users of an entire network are creating secure passwords that are not also being used across multiple other platforms.
In a push for more security on the front end of system authentication, many security organizations are suggesting a move from the password to the passphrase. Passwords and passphrases are very similar save for one very important distinction: passphrases are longer. Once upon a time, the longest possible password for most systems was only 8 characters.Higher quality hacking techniques, however, require higher quality cyber defense. The first line of defense is going to be your password or your passphrase. Upon creating an account with a password/passphrase, the passcode undergoes a process called hashing. This is the second line of defense.
Hashing allows the system to turn a user-created password, of any length, into a unique set of characters of a different, specific length. Essentially, hashing takes your passphrase or password, regardless of how many characters are used, converts it into a different set of characters of a previously determined length. The final length of the hashed text is going to be the same number of characters for every passphrase created within the system. This new code is practically irreversible, as in humanID’s hashing algorithm, and minor differences in the password will result in a completely different hash, (see example, the password “hello” changes drastically). When it comes to authentication, hashing is the standard mode of secure verification. This is the reason that most hacking into authenticated systems can be traced to weaknesses in password security, and not the technical infrastructure itself.
An increasing amount of debate is occurring over whether or not passphrases are better or worse than traditional passwords. A passphrase is functionally similar to a password, though it involves a great many more characters. The rest of this article will highlight some of the important pros and cons of switching to Passphrase.
The most effective use for a passphrase will be the inability to hack it using a brute force attack. A brute force attack employs an algorithm to check every possible combination of digits until it guesses your passcode correctly. This is the hacking equivalent to guessing your friends’ iPhone lock pins by starting with 1111, then guessing 1112, and so on (needless to say, this process is a bit faster for computer systems). This means that every extra digit used in a password or passphrase can increase the time it takes to break in this way by an entire order of magnitude. In other words, every additional digit used in a passcode is exponentially more effective than the previous one. Using only lowercase letters, a two digit passcode has 676 possible combinations to check, while a 3 digit passcode has 17,576 possible combinations. In this situation, the randomness and predictability of a password are irrelevant, and the only way to prevent this method of hacking from being successful is to make the passcode so long that it becomes inefficient, or too expensive to do so. For this purpose, a longer passphrase is obviously preferred to a shorter password, no matter how predictable the phrase may be. A passphrase such as “This is my passphrase” will take longer to hack via brute force than the password “3gM$p9s&m.”
A passphrase can also be harder to guess than a password. A huge amount of passwords are guessable by an actual human. Some studies have shown that up to 6% of passwords can be guessed using some form of the word “password” or a form of the word “welcome.” While this might also include the number zero replacing the letter O, or adding numbers to the end of the word, these are still very guessable passwords that would not even require the use of Artificial intelligence; this makes sense given the lack of biological intelligence that goes into creating many of these passwords.
When tasked with creating a password, many people are quite unoriginal. If a predictable password is expanded to a passphrase, it becomes much less crackable by a human hand, or by cheap hacking programs. The password, “pA$$woRd124” will be easier to guess than the passphrase, “passwoRd pa$$word PassworD pASSword.” If you are going to be uncreative with your passcode, you may as well just use a passphrase, as they are more secure than uncreative passwords.
Another point to remember is that while users, when left to their own devices, will create easy-to-remember passwords that may be easy to crack, there are plenty of examples of system-generated passwords that are much more difficult to hack. It is often argued that these system-generated passwords, assuming they are long enough to prevent brute force attacks, imply that longer passphrases are unnecessary. The problem with this argument is that system generated passwords are usually random and therefore easy to forget. In most cases, people will have to write them down or store them somewhere. This technique alone can create a security liability, not to mention what happens if a password is forgotten. In order to create a password that is as difficult to hack as a typical passphrase, it needs to be much more difficult to remember than the passphrase would be.
Entropy is essentially a measure of how easy it is for a machine to correctly guess a password based on other information. In terms of entropy, long coherent sentences are easier to predict than short random phrases. A password and a passphrase with similar entropy should often result in the passphrase being easier to memorize than the password. At the moment, studies show that they are equally functional in terms of memorability, though keep in mind that most people have more prior exposure to, and experience with, their passwords.
The first obvious drawback to using passphrase primarily stems from its novelty. Having had to switch over from password to passphrase for my university Gmail account, I can personally attest to how obnoxious it can be having to come up with an entire 20+ character phrase that is entirely incoherent and linguistically nonsensical. The problem is exacerbated when changing such a password requires typing it out on all of the other entities that might employ this new passphrase. Try coming up with an unpredictable phrase, 30 characters long, memorize the whole thing, then type it into your iPhone 6 times. Having only ever been exposed to passwords previously, this whole process of switching over to passphrase can be quite infuriating.
Studies have also shown that, while passphrases are typically not going to be harder to remember than passwords, there will still be “growing pains” when switching from passwords to passphrases. The growing pains manifest in the form of typographical errors. Users are not likely to forget their passphrase, they are simply going to mistype them more often. This typically occurs more in the first few weeks of having a new passphrase. The primary problem here is that it can have a huge effect on how users perceive their experience with passphrase. If a company makes its employees change their passwords to passphrases, it is likely that the initial struggles will have a lasting effect on how the change is viewed by the users.
In reality the theory that a longer passphrase, of equal entropy, will be easier to remember than its equivalent passcode doesn’t always work out this way. Many people, when coming up with a passphrase longer than any password they have ever had to memorize, will pick something extremely relevant to them, or easy to remember. This makes it so that a passphrase can sometimes actually be easier to guess, let alone hack via dictionary attack.
A dictionary attack is a hacking technique that employs a database of common quotes, phrases, names, or a dictionary of words, and is able to narrow down the possible outcomes by assuming that a passphrase or password is going to be linguistically coherent and predictable. Most people are going to use phrases of real words, a famous quote, or a combination of names to make memorizing a longer phrase easier. Forcing people to memorize more characters than they are capable of handling can have an inverse effect on the predictability of their passphrase. A dictionary attack that uses a reasonably sized database of words can be more efficient when hacking an account protected by a passphrase consisting of real words than it would be if the account had been protected by an 8 character gibberish password.
If the only way to remember a long passphrase is to use a popular quote, or relevant words in a linguistically coherent order, then the passphrase becomes less safe than a shorter, but less predictable password, (this is a rare occurrence, but possible). It might also be reasonable to use a passphrase if there is an overwhelming fear of brute-force hacking attacks, where the best defense is to adopt a, “longer is better” mentality. However, a password is still capable of being long enough to render such an attack too inefficient to try, and the inevitability of such an attack can render the passphrase potentially unnecessary, although this is extremely unlikely given the exponentially increasing cost of an attack on a longer passcode.
In general, there is a time to switch over and use passphrases, and there is a time to stick with passwords. A brute force attack will likely never work against a passphrase, while a dictionary attack is only as effective as the passcode is predictable. Sometimes the drawbacks of a passphrase will make it easier to hack, sometimes the length will be too much for hackers to handle, and other times the only true effect a passphrase may have is bothering the users.
To make matters simple, a passphrase is most often going to be safer, and harder to hack, than a password even though it runs the risk of being easily forgotten. In addition, it is generally understood that many passphrases can be just as easy to remember as most passwords, despite being more secure. That said, don’t be too predictable about the chosen passphrase, and don’t be too worried about using a password for less important data.