“Password” is a Dirty Word
Take a moment to think about the really important passwords you use – maybe for your computer at work, email, financial information, or even the 'sa' account on SQL Server. How many characters long are they? Are they really all that difficult? Are they:
- Dictionary words?
- Words with a few numbers or symbols substituted in place for letters?
- Totally random combinations of letters, numbers, and symbols?
The last option is obviously the most secure choice, but it also happens to be the most difficult to remember. I’ve previously mentioned that I’m a big fan of KeePass, an open source password organizer/generator. It’s a great way to store all your passwords, and for my most sensitive information I have KeePass generate rather long passwords that are completely random. The pros and cons of this are that the passwords are extremely secure, but also nearly impossible to remember. Without an installed copy of KeePass handy, I can’t log in to those accounts from anywhere other than my home computer. I don’t see that as a problem for things like bank websites, as I can’t imagine the need to access them from anywhere other than home anyway. For other accounts, though, it might present more of an issue.
In my opinion, the happy medium between an easy to remember dictionary word and a much more difficult random sequence is a really long non-random sequence, at which point it isn’t as much a password anymore as it is a passphrase, and that term describes exactly how to come up with them. Take a sentence, capitalize each word, remove the spaces (or better yet keep the spaces and other punctuation if allowed), add a few numbers if there aren’t any already and voila, you’ve got yourself a reasonably strong passphrase. They’re easy to remember yet very difficult to crack given their length. I try to shoot for a length of around 30 characters, and I shudder when encountering systems with a maximum password length lower than that.
The term “passphrase” is nothing new and I can assure you I’m not saying anything that hasn’t already been said by someone else. I’m just surprised that it hasn’t become more commonplace in this, the era of choosing strong passwords. To me, “phrase” implies a much longer length than “word” and I think end users would get the hint if an account registration process prompted them to create a passphrase instead of a password. This could easily be enforced by requiring a minimum length of 15 to 20 characters.