It’s Time to Use Pass Phrases

As computers have become more powerful shorter passwords have become more useless. This story does a good job of driving home the fact that short passwords are becoming meaningless:

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

Increase the password to 6 characters (pYDbL6), and the CPU takes 1 hour 30 minutes versus only four seconds on the GPU. Go further to 7 characters (fh0GH5h), and the CPU would grind along for 4 days, versus a frankly worrying 17 minutes 30 seconds for the GPU.

And it doesn’t stop there:

It gets worse. Throw in a nine-character, mixed-case random password, and while a CPU would take a mind-numbing 43 years to crack this, the GPU would be done in 48 days.

Surely throwing symbols in there keeps you safe, right? Wrong! Take a password consisting of seven characters, mixed-case/symbols random password like ‘F6&B is’ (note the space), that’s gotta be tough for a bruteforce attack. Right? A CPU will take some 75 days to churn through the possibilities, while a GPU is done with it in 7 hours.

Basically short passwords are worthless and offer little if any security. Of course this isn’t the end of the world as other patches have been added to password-based authentication systems. For instance most systems have a time delay tossed in if you enter the wrong password too many times and other devices like the IronKey self-destruct if the wrong password is entered too many times. The first technique can greatly hinder the rate at which an attacker can access your system unless they’re working directly from a file containing password hashes (as they wouldn’t be hindered by operating system behavior). Most systems also use a value known as a salt which is tossed in with a password to create a hash making it far more difficult to brute force (as you have to try every possible combination of salt values and passwords).

It’s finally come time to begin using more complex passwords. This is difficult for many people as few are going to remember a password like “8*7wFWE12@#$iwkf” or anything similar. This is where the idea of pass phrases comes into play. Instead of using a word you use a sentence. For instance it’s going to be far more difficult to brute force a pass phrase like “This is my pass phrase which should be hard to brute force” than a ten character password. On the other hand pass phrases are potentially susceptible to dictionary attacks if the phrase you use is common so throwing in random characters for good measure is still, well, a good measure.

I will be completely honest in saying that passwords and pass phrases are becoming less and less viable as means of authentication. Some day we will have to move beyond them but as of right now the easiest option is to make more difficult passwords.