It is practically impossible to use the internet for work without creating at least one password. Unfortunately, people tend to choose passwords that are simple enough for bad actors to guess. Last year, there was a whole epidemic of stolen Disney+ accounts, and the thefts were facilitated by easy-to-guess passwords. In response to modern password guessing attacks and brute-force attacks, organizations require users to follow specific policies for password creation in hopes of protecting accounts. Common password policies require a minimum of eight characters and one of every type of character. However, as illustrated through a popular XKCD comic, some passwords that conform to these policies can be weaker and harder to remember than passphrases. Passphrases are passwords that consist of multiple words separated by spaces. Last February, the FBI recommended the use of passphrases.
Recent research supports the use of passphrases as an alternative to typical passwords. The researchers Kanwardeep Singh Walia, Shweta Shenoy, and Yuan Cheng analyzed millions of passwords and compared them based on how hard they were to guess and how easy they were to remember. They concluded that “using passphrases as passwords is a promising way of achieving both security and usability” (page 7). They note that security and usability are often at odds with one-another, and that complicated password policies tempt users into engaging in unsafe practices such as writing down passwords, reusing passwords, and munging passwords (page 1). Munge stands for Modify Until Not Guessed Easily. Password munging is the practice of replacing letters with numbers or other symbols. An example of a munged version of “example” is “3x4mpl3”. The researchers note that “munging a password does not make the password more secure” (page 5). Bad actors are very aware of habits like password munging.
The key to making a strong password is to maximize its entropy. In information theory, entropy is the amount of information contained in something. For their experiment, the researchers Walia, Shenoy, and Cheng used Shannon’s entropy as the metric for password strength. Sriram Vajapeyam provides a good overview of Shannon’s entropy. One way to think about entropy is to consider the possible combinations for a password. For example, suppose an employee uses a randomly generated three-digit PIN for authentication. There are ten possibilities for each digit (the numbers zero through nine), which means there are 103=1,000 possible combinations, and it would take someone 1,000 attempts to guess the correct PIN. Note that this is a particularly weak example by modern standards. If the PIN was a part of a web interface, a bad actor could try every combination almost instantly. The PIN could be harder to guess if it is eight-digits long, and it could be even stronger if it is not a PIN at all, but a password that accepts most of the characters on a keyboard. Passphrases are generally much longer than passwords, so a good passphrase can have a lot of entropy. The most recent Digital Identity Guidelines from the National Institute of Standards and Technology (NIST) recommend password policies that accept spaces and a maximum of 64 characters, two things necessary for nice long passphrases.
However, the entropy of a password does not solely depend on its length. According to the researchers Walia, Shenoy, and Cheng, a long password with repeating patterns, such as “passwordpassword”, does not reach its maximum entropy (page 4). According to Sriram Vajapeyam, entropy depends on both the number of possible values and the uniqueness of the information. Passwords that are frequently used or easy to guess, such as “password” or “qwerty”, have less entropy than unique passwords of the same length. Bad actors cycle through lists of common passwords when conducting brute-force attacks.
Passphrases are not guaranteed to have high entropy. It is just as easy to make a weak passphrase as it is to make a weak password. Mike Garcia of the NIST notes that obvious combinations of words would be easy for attackers to guess. According to Garcia, an example of a bad passphrase would be one that lists the colors of the rainbow or the names of family members. Garcia notes that “passphrases should be words that can go together in your head, but no one else would ever suspect,” just like how a password should be something that is not obvious. The ultimate goal is not to make something that is just easy to remember, but something that achieves a balance between being easy to remember and being hard to guess.