Passwords vs Passphrases

Security Education – By Dylan “The Magician” Baklor

Don’t use long passwords, use short passphrases.

Passwords are a frustrating necessity for both users as well as network administrators. Now I imagine the first part of the article title may have caught you off guard so let me elaborate. A password can be many things for different people: a child’s name with some birthday digits, some work-relevant terms, maybe some words spelled out with special characters as well as numbers. I don’t want to tell you not to use numerals and special characters but the one biggest factor for a password being uncrackable is length. Not eight digits but closer to thirty or more. This is where passphrases come in, here are some memorable and safe examples:

EnergyDrinks&Coffeek33pme100%awake
I<3subarubutJustModelsfromthe1990’s
t-rexhadsuperdupershortforearms
long passwords ARE great p455w0rd5

So now that you know the how, I’d like to briefly touch on the why. Password cracking can work a few different ways but the primary piece of the puzzle is either an encrypted (hashed) password on a local machine or a password entry field on a remote computer that is internet facing. A local machine is preferable but I have, in a laboratory environment, attacked a computer facing the internet and was able to log in. This is not a how-to per say but to get deeper into this why category we need to review password cracking basics. Once you have designated a target you can either intercept the encrypted password (no, I’m not going to show you how) or you begin to start building notes on the remote target. At this point you can either build up a dictionary of possible passwords for a “dictionary attack” or you can “brute force” a target by guessing as many passwords as possible. A dictionary attack is mostly what the bad guys use to save time, this is also less technically challenging on computer hardware. Dictionary attacks use a world list and use a trial and error methodology to guess a password. Brute force attacks can utilize an attackers computer processor or a bank of graphics cards (graphics cards [GPUs] are far faster). Tools like Hashcat guess passwords at random, there are others but if you are curious to learn more run a search query on Hashcat.

But Dylan, I hear you say, a passphrase is hard to remember. Well, it can be, so my advice is to make it relevant to you. Instead of using a password Fluffy, add some flair like FluffyISaBLACKcat&sheLOVESme. For each letter added consider that an attacker needs to guess if it is a-z, upper or lower case, a special character, or a numeral. Can you see now what I mean, a password is great, but a passphrase is darn near uncrackable. I say near because given enough time anything is crackable. So, what do you about that? That is the simplest solution of all, use a new password every so often, maybe every month or maybe every three months.z

Hopefully I have intrigued you enough to develop your own unique passphrase.

Until next time, remember: lengthyPASSWORDsRsaferTHENshorterONES

-Dylan “The Magician” Baklor 

About GoldSky Security

GoldSky Security offers small and medium sizes business cybersecurity solutions across the US and currently has offices in Orlando, Denver, Phoenix, Nashville, Tampa & Washington D.C.