Passphrases
From Peyton Hall Documentation
Current revision (15:47, 5 June 2007) (view source) m |
|||
(4 intermediate revisions not shown.) | |||
Line 1: | Line 1: | ||
- | + | A passphrase is a long phrase used mostly in high-security encryption situations. It is usually a series of words, which singly would be very insecure due to being in a dictionary (and thus susceptible to a dictionary attack, where words are tried one at a time), however because they are grouped together they form a very secure phrase which is both easy to remember and very difficult to crack. Passphrases are commonly used for things such as encrypting [[GPG]] private keys, [[SSH]] keys, and can even be used for a standard Unix account - but only if everything which will access the account can handle the large passphrase instead of a smaller [[Passwords|password]]. | |
- | [[ | + | |
- | + | ||
+ | == Why a passphrase? == | ||
+ | A normal [[Passwords|password]] is usually short - between 6-15 characters. While a truly random password would be very secure, the truth is that most passwords are very insecure, mostly because of their length. A very secure password would be something like <tt>oF&18."#</tt> however that would be very difficult to remember (and not so easy to type). Most passwords end up being some kind of mnemonic, or otherwise easy to remember sequence, and therefore easier to guess by an attacker. If the password contains any part of a dictionary word, it can be brute-force attacked more easily, because many password guessing algorithms will start with dictionary words and modify them, trying each modification to see if the password has been guessed. | ||
+ | |||
+ | By comparison, a passphrase could be a simple string of dictionary words: '<tt>Now is the time for all good men to come to the aid of their country.</tt>' Though each word is in a dictionary, the string itself is more complex than the words (except that this particular string is well-known, and would be tried during a brute-force attack). Since it's a longer string and can have punctuation and spaces - and therefore less restrictions on content - it is sometimes much easier to think of a very secure passphrase than a secure password. You might choose something like '<tt>I love listening to Rush, but secretly I like to sing 99 Luftballoons</tt>' and as long as nobody knows that secret about you, they are not likely to crack your passphrase. | ||
+ | |||
+ | |||
+ | == Insecure passphrases == | ||
+ | As noted above, passphrases are sometimes easier to make secure because there's less restrictions on them (length, content, etc). However, it's just as easy to create very insecure passphrases: | ||
+ | * Very well known phrases | ||
+ | ** <tt>Now is the time for all good men to come to the aid of their country.</tt> | ||
+ | ** <tt>The quick brown fox jumps over the lazy dog.</tt> | ||
+ | * Lines from a movie | ||
+ | ** <tt>This is my rifle, this is my gun</tt> | ||
+ | ** <tt>Ray, if someone asks you if you are a god, you say YES!</tt> | ||
+ | * Lines from a song | ||
+ | ** <tt>On my ship, the Rocinante, wheeling through the galaxies; headed for the heart of Cygnus, headlong into mystery.</tt> | ||
+ | ** <tt>All in all it's just another brick in the wall.</tt> | ||
+ | ** <tt>Neunundneunzig luftballoons Auf ihrem Weg zum Horizont</tt> | ||
+ | |||
+ | These are bad choices because they would show up in a phrase book which could be used to try to brute-force your passphrase. No matter how obscure the lyric or line from a movie may be, if you know it then someone else does too - and that's good enough for it to be tried. However, something that you know, such as how you felt about a movie or a song, is not as likely to be known by all and therefore a much more secure passphrase. | ||
+ | |||
+ | |||
+ | == See also == | ||
+ | * [[Wikipedia:Pass phrase]] | ||
+ | * http://www.iusmentis.com/security/passphrasefaq/ | ||
+ | * http://www.pgpi.org/doc/faq/passphrase/ |
Current revision
A passphrase is a long phrase used mostly in high-security encryption situations. It is usually a series of words, which singly would be very insecure due to being in a dictionary (and thus susceptible to a dictionary attack, where words are tried one at a time), however because they are grouped together they form a very secure phrase which is both easy to remember and very difficult to crack. Passphrases are commonly used for things such as encrypting GPG private keys, SSH keys, and can even be used for a standard Unix account - but only if everything which will access the account can handle the large passphrase instead of a smaller password.
Why a passphrase?
A normal password is usually short - between 6-15 characters. While a truly random password would be very secure, the truth is that most passwords are very insecure, mostly because of their length. A very secure password would be something like oF&18."# however that would be very difficult to remember (and not so easy to type). Most passwords end up being some kind of mnemonic, or otherwise easy to remember sequence, and therefore easier to guess by an attacker. If the password contains any part of a dictionary word, it can be brute-force attacked more easily, because many password guessing algorithms will start with dictionary words and modify them, trying each modification to see if the password has been guessed.
By comparison, a passphrase could be a simple string of dictionary words: 'Now is the time for all good men to come to the aid of their country.' Though each word is in a dictionary, the string itself is more complex than the words (except that this particular string is well-known, and would be tried during a brute-force attack). Since it's a longer string and can have punctuation and spaces - and therefore less restrictions on content - it is sometimes much easier to think of a very secure passphrase than a secure password. You might choose something like 'I love listening to Rush, but secretly I like to sing 99 Luftballoons' and as long as nobody knows that secret about you, they are not likely to crack your passphrase.
Insecure passphrases
As noted above, passphrases are sometimes easier to make secure because there's less restrictions on them (length, content, etc). However, it's just as easy to create very insecure passphrases:
- Very well known phrases
- Now is the time for all good men to come to the aid of their country.
- The quick brown fox jumps over the lazy dog.
- Lines from a movie
- This is my rifle, this is my gun
- Ray, if someone asks you if you are a god, you say YES!
- Lines from a song
- On my ship, the Rocinante, wheeling through the galaxies; headed for the heart of Cygnus, headlong into mystery.
- All in all it's just another brick in the wall.
- Neunundneunzig luftballoons Auf ihrem Weg zum Horizont
These are bad choices because they would show up in a phrase book which could be used to try to brute-force your passphrase. No matter how obscure the lyric or line from a movie may be, if you know it then someone else does too - and that's good enough for it to be tried. However, something that you know, such as how you felt about a movie or a song, is not as likely to be known by all and therefore a much more secure passphrase.