The difference between a password and passphrase is simply a terminology change. A password is typically around 8 characters long and meets necessary complexity requirements. For example Panthers1! A passphrase, by contrast, is making your password into a sentence, including spaces and punctuation as necessary. An example of a passphrase is “I love the Carolina Panthers!” (You will have to forgive us, we are proud to be a Charlotte-based firm).
Getting a user to change their password from Panthers1! to a passphrase like “I love the Carolina Panthers!” requires more than simply changing your logon prompt to say enter passphrase instead of enter password. Just changing the terminology is likely not going to achieve much for your security. Most users will not even notice the change, and will still stick with “Panthers1!” because that is what they’re familiar with.
With that said, getting users to actually start using passphrases is a major undertaking. We would recommend getting users to use passphrases through security awareness training
, and increasing the minimum length
across your organization. The typical password is approximately 8 characters, while with passphrases you can set the minimum to 14 or more characters. Complexity should still be required because a space is counted as a symbol, and if you want users to enter a phrase there will be punctuation. Here is a good write-up on the difference: https://www.passworddragon.com/password-vs-passphrase
. Again, the main difference comes from the length of the password.
Here is an example chart (http://i.imgur.com/gfYw57t.png
) that shows the different lengths of time it would take to conduct a pure brute force
attack depending on the entropy, length, and attacker’s technological capability. These times represent the longest possible length of time it would take for an attacker to crack a password of a particular length with 100% certainty. By definition, it takes half the listed time to crack an average password.
The important thing for you to make note of is the line that shows: With an 8 character password, having all standard lower alpha, upper alpha, numeric, and symbol characters (94 bits of entropy) available to you, and an attacker with moderate capability by today’s standards (w/ multiple GPUs, BotNets available, VM farms, etc.) getting 1 billion hashes/sec attempted, he or she would absolutely crack the password within 1.7 months (51 days) (Note this is a a few years dated, with our password rig, we can get any 8 char password within 3 days), and on average it would take 25.5 days. When you increase that to a 14 character password, the number increases to 157 billion years. Taking into account that passwords are changed every 90 days, it reasonably follows that an attacker would absolutely be able to crack a password before it is changed with a given length of 8 characters.
All of that math/metrics is based around a pure brute force attack, and this is an attacker’s last ditch effort when they are performing offline cracking of passwords. With dictionary attacks, password mangling rules, mask attacks, and hybrid attacks, we can do this much more intelligently. When we perform AD password analysis for clients, we can consistently crack ~60% of passwords that consist of 8 characters or less, within a day or two. This is due to the fact it is human nature to make passwords based off of a dictionary word, name, location, or pattern. When you increase the minimum password length requirements, it helps to technically compensate for the human factor in password creation.
If the change from passwords to passphrases are accomplished and enforced, this would be a major step forward in protecting your organization.
Reference for password length:
Additional references for current cracking speeds: