17 November 2019, Kevin Watzal

Since xkcd is a very popular comic, I am pretty sure you know this comic. What is the main message? Let’s find out!

Tell me a random word

If I ask you to tell me the first word which comes to your mind, you would say something like “Idea”, “word” or even “ehm”, rather than “P4sSw0Rd”, “?let_me_in_000!” or “test1234”. Part of this is that saying your own password is a bit obvious, but maybe you would say: “That is more than one word!”. Why is it not a word? Saying a number or special character will most probably be defined as own word, which is totally correct in linguistics.

What is a word?

According to Cambridge Dictionary a word, in contrast to a sound or syllabus, is something which has an objective meaning. Yes the meaning of a word differs on the way you pronounce it. Screaming “OKAY” has a different meaning than whispering “okay”, but try to teach that to a machine. However, requiring a password implicitly forbids using numbers, spaces or emojis. Hence when a service wants you to choose a password but does not allow you to use (some) special characters or spaces, it is technically correct, but enforcing you to use a number is then wrong.

What is a passphrase?

“A phrase is a group of words”, says Cambridge Dictionary! So a passphrase can be a group of passwords, couldn’t it? When you now ask people to tell you a phrase, you may hear “Hakuna Matata“, “Once in a blue moon“, or “Oh, okay, I can do this!”. It will be longer and also easier to remember.

What I still see

I still see way too much restrictions on registrations forms.

“Please use at least 8 characters” - makes sense!

“Please use at least one lower case character” - No problem with that!

”Please use at least one upper case character” - Yes, of course!

”Please use at least one number” - I … understand.

“Please use at least one special character” - Ehm, okay.

And two more, which are horrible:

“Do not use these characters: ‘$”%_ ’ or whitespaces” - I think you are saving passwords wrong.

”Your passwords should not exceed X characters” - I would like to know why!

What do the big guys do?

Google only wants you to use 8 characters, where one of them must be a number and one of them must be a special character. There are approximately 90 characters you can use and that powered by 8 … That is a lot of time using only brute force.

Facebook wants you to use 6 characters with at least one letter, one number and one punctuation mark. 90 powered by 6 is a lot less, but still secure enough.

Amazon? Amazon only wants 6 characters from you, which would give you the opportunity to really only use a word by definition of a word. That is 26 powered by 6, which would reveal your passphrase in worst case in two days when an attacker really wants to.

But the section 5.1.1.1 in the NIST has some rules about passphrases and the only restriction is, that a user must use at least 8 characters, regardless of the characters it is made of.

What can you do with a phrase instead of a word?

Take your favorite book, open a random page and use the first sentence you find. Will it have more characters than your current password? If you didn’t have bad luck or already use a very good passphrase I’d say YES.Take a song you really like and take the chorus and abbreviate parts of the sentence with things you correlate with the service the passphrase is for.Take a movie, a quote or a blog post. Anything you can think of to expand your thinking of using a sequence of characters which help you remember!

Please consider

Using only lower case characters cap the possibility of characters by 26 powered by the length of the passphrase. Also a sequence of characters which definitely has a lower case, an upper case, a number and a special character is 3.5 times harder to brute force than a sequence of characters with only lower case characters.

Recommendations

I really don’t see a problem starting every passphrase you have with the same words and ending it with different words per service.

Let’s say I always use “Hi, I am Kevin and would really like to “ in the beginning. For social media I would use “connect and contact my best friends”. For my mail service I would use “check my emails and make business”. For a gaming platform I would use “buy games I will play once and never again”.

The base passphrase alone has 40 characters, which I can remember easily . You say the website requires a special character? Rethink your sentence to ask a question and add a question mark. You need to add a number? Change the base passphrase to “Hi, I am Kevin and I was born on the 24th of September, and I would like to”. Yes I know it is way too long and it takes ages to type, but you know, it is really hard to guess or brute force.

But my main point is to remove the thinking of a password. A sequence of characters which forbids spaces, also forbids opening the mindest or the thinking.

What I would like to have is to be able to use any character I like and the only restriction a website should use is a minimal length of the passphrase which can be updated when the power of using the brute force attack increases.

My call to action

What I am trying to say is that you really should not use the word password in any of your software, neither in an user facing application nor in configuration. It may be clear to you that a password could include a whitespace, but then think again, if you asked anybody randomly to say a word, they will most probably not say actually more than a word, because you didn’t asked for a phrase.

If you are a developer or contribute somehow to build or deliver software:

Search through your applications for any passphrase restrictions. Re-think if they really make sense and if the really make guessing them harder. Do these restrictions help your users? Definitely not in remembering passphrases. When thinking about security, dictionary attacks already include numbers and capital letters. If you cannot simply change it yourself, try to push this topic by referencing blog posts you find on the internet (there are plenty of them).

I really think that this is a pity to restrict people who know what they do and to want more security, but I hope that this will change, but I can see some services already asking for a passphrase.

Passphrase