Just another word or two – passphrases vs passwords

Last updated: 21 March 2014

We have blogged many miles of space about the dangers of protecting your business assets with a simple username and password solution. Now there is a new trend using passphrases as a beefed up type of authentication. The problem is, there’s not much meat to this solution.

Passphrases are basically a group of dictionary words strung together to form a multi-word password. It might seem like a more secure alternative – a hacker might be able to guess one word password, but let’s see him guess four!  A recent study by the Computer Laboratory at the University of Cambridge suggests by using dictionary attacks, hacking a passphrase may not be that challenging after all. A dictionary attack is a method where hackers use a software program to test words that have a higher probability of being used until the password is discovered.

Because most users choose common, easy to remember words for passwords, the most often used password is “password”. Hackers know this and use it to their advantage. Although passphrases may be harder to guess than single passwords, they by no means are impervious.

The team from Cambridge University did some testing with Amazon’s now discontinued passphrase system, PayPhrase, and came up with some interesting findings. Using search engines to crawl the Web, they gathered a 20,000 word dictionary of movie titles, sport team names, proper nouns from Wikipedia and common expressions from sources such as Urban Dictionary. From that dictionary of 20,000, researchers were able to match 8,000 phrases from a portion of the Amazon PayPhrase list they were allowed to examine.

The Cambridge study showed a high proportion of people ignore security advice about how to choose a passphrase, which warn against using famous quotations, titles or terms which can be guessed by intuition. And proving this fact is some of the passphrases found: boston red sox, patrick swayze, procter and gamble, and up the creek.

So the quick lesson here is if you don’t want to be up a creek with the boston red sox and patrick swayze (creepy since he’s dead), then my advice to you is to look for stronger ways to secure your data and identities. We have advocated a lot in this blog the need for strong authentication and this post is no different. Increasing the number of steps or factors required to prove your online identity is still the best technology available to increase the level of protection over your login process.