123456 – still the world’s most popular password is also one of the most insecure. Passphrases offer an alternative to passwords. They are longer and yet easy to remember. But do they really offer better protection?
It takes hackers less than a second to crack simple passwords. Replacing letters with numbers or special characters does not necessarily offer more security. This is because with so-called brute force attacks, attackers “guess” many passwords by automatically trying out combinations of characters. They can then gain access to private accounts. The shorter the password and the fewer the characters, the faster it is cracked.
Passphrases are a promising alternative. These are a combination of words, as random as possible, that are put together to form a phrase, but can still be remembered. An example: “My grandma celebrates her 6th birthday on the 49th of France!”. If only a limited number of characters can be used, you can limit yourself to initial letters and special characters: “MOfa49.Fi6-G”.
How passwords are cracked
Passphrases should theoretically offer better protection because they are longer and more complex than conventional passwords. But is that really the case? To find out, look at how companies protect passwords and how hackers crack them.
Companies protect their passwords by storing them as a “hash.” This converts data of any length into a string of fixed length characters. Hashes are theoretically untraceable. So if an attacker steals a hashed password, he must try many different words to determine if he is getting the same hash. This gives him virtually no advantage over a pure brute force attack.
However, there are password cracking tools like Hashcat. These can calculate billions of hashes per second on a single computer. By hiring cloud services, this can even be increased to tens of billions of hashes per second.
Alternatively, hackers can steal passwords by reading keystrokes or form entries on websites. Sophisticated social engineering techniques such as phishing by impersonating known company names or close associates are also used to obtain a user’s password. Even a thorough search of a PC hard drive can give hackers access to a victim’s account.
Passphrases vs. passwords
While input sniffing or phishing works just as well with passwords and passphrases, there might just be a difference with brute force attacks. With passphrases, the first step is to select three to five words that form a sentence that makes no sense but is easy to remember. For example, “Correct horse battery bracket.” The greater length makes successful brute force attacks much more difficult. Or is it…?
While password attacks are far more common, there are also a number of tools that can determine passphrases. The simplest option is to provide the password cracker “Hashcat” with a list of predefined passphrases. Such a list, which contains almost 22 million known phrases, is available in English on Github, for example.
The passphrase “better late than never” consists of 22 characters. According to conventional recommendations, this corresponds to a strong password due to its length. However, “better late than never” is one of the most common phrases in the English language and is on line 18,636,796 of the passphrase list. The “correct horse battery staple” known from the online comic XKCD is even in line 1,976,239.
Of course, the order and number of words can be changed. But according to Zipf’s law, all human languages roughly follow the “80/20 rule.” This means that about 80 percent of all texts consist of about 20 percent of the possible words. In fact, the most common 100 words often make up half of the texts. So if the top 1,000 words of a language are entered into a password cracking tool, it can try all combinations of the top three to five words in addition to every possible combination of characters. Thus, using passphrases is not really better than complex passwords, in some cases even worse.
The strength of a given password or passphrase is thus not only proportional to its length, but also to its randomness. Therefore, the following general guidelines should be followed to assist in choosing a strong password:
Do not choose the password yourself
Using a password manager serves to create truly random strings for passwords. For passphrases, there are also websites that suggest completely random words.
Do not reuse passwords
The theft of credentials from one provider should not jeopardize the security of other online accounts. Therefore, a separate password should be used for each website and service. Password managers are the only realistic way to keep them.
Create long and random passwords or passphrases
Passwords should consist of more than 16 characters chosen at random (ideally with a password manager), passphrases of four to five words. In any case, some letters should be replaced by numbers and characters (Ko88ekte P1erde Ba??erie Kla%&er) or spaces should be placed in unusual places, e.g. bes serz usp äta lsnie
Use multi-factor authentication (MFA)
Even the most complex passwords and passphrases can be stolen or guessed by brute force. In that case, only a second authentication factor, such as a time-based code in a mobile app, will help prevent attackers from gaining access to the account.