Passwords Vs Passphrases… or; “Why your Operations and Security teams are wrong”

This is a bit of a ranty post about Passwords vs Passphrases and why there is still a huge gulf between what is best practise and what most people think is best practise. Even among security professionals. I’m going to try to outline them here in a way that is both technically sound but still accessible to the general person without resorting to words that make most peoples eyes unfocus like “entropy” and “mean time to crack”.

If you finish reading this article and think “my companies password policy is stupid!” you’re probably right, and feel free to forward this article to them. Together we can fix this issue one security/ops team at a time!

The ironic thing is that, when implemented correctly the advice in this article makes their lives so much easier too! They’ll thank you. Trust me! (Maybe leave out the “stupid” part. We’ll keep that between us.)

The Problem

The core issue that causes this adversity between internal teams is the conflict between the two players requirements/desires:

Ops/Sec Teams want:

  • To not have their network hacked from a brute forced password
  • Complex passwords
  • Long passwords
  • Frequent rotation of passwords
  • Ease of password management for their users
  • To not spend all day unlocking accounts because users have fat fingered their password for the 20th time today.
  • To not have users write their passwords on sticky notes that they stick to their screen.

Users want:

  • To log into their stuff with the minimal of fuss
  • Short passwords
  • To not have to change their passwords every month/six months/ever.
  • To not have to remember a password that looks like a drunk mouse staggered across their keyboard and stopped halfway to take a dump

The issue that should be plainly obvious here is that many of these requirements are diametrically opposed to one another. Leading security teams to call their users “lazy” and “not understanding the issue”, and for users to call their sec/ops team “fascists who don’t understand their needs and make their days harder”.

The thing is that neither of them are right. Users don’t want their stuff hacked and the sec/ops team hate long stupid passwords as well. As evidenced by the number of domain admin passwords I’ve seen saved in text files or of the form “serverpa55w0rd2023”.

The Solution

The most annoying part of the whole situation is that this issue has already been solved and is already part of the core best practise reccomendations of all the major security standards bodies. NIST, NSA, CIA and every other TLA you can think of.

That solution is the use of Passphrases.

Passphrases are superior to passwords in almost every single way. They are:

  • Generally easy to remember
  • Long enough to be beyond the wildest dreams of non quantum computers to hack
  • Hard to crack even with known hash tables
  • Can be reset at a far lower rate, say once a year or even never if users are encouraged to use a unique one for work purposes.

A passphrase might take the form of something as simple as “My cousin Michael is a really skilled skiier!”

Lets look at that in terms of a password. Its:

  • 45 charachters long
  • Contains a mixture of upper and lower case
  • Easy to remember
  • Contains punctuation.

Now try to get someone to remember the equivilent “traditional” password of similar copmplexity… say “bTUVXjL@wg.yE49jNXNHsmiMze6Ao3LLy.M8M6Cu-v.Tb”

There is zero chance that’s not ending up on a post it note in a large font glued to the side of a monitor.

You can even encourage people to make a works specific one like “I think working at mega corp in the HR department sucks!!!” which they use nowhere else. The chances of this being cracked or pulled from a site hack outside of work are practically zero. But I bet you a million dollars the user will have zero trouble typing that every morning as they log into work.

If you want to get fancy with it you can make it more difficult by adding in numbers in place of a couple of letters (“My c0usin Michael is a really skilled skii3r!”) but honestly it’s not really needed. The brute force time on a password of this length on any foreseeable hardware is in the region of “The heat death of the universe”.

So in summary: Complex frequently rotating passwords are dumb. Stop using them. Switch to passphrases. They are superior in every way, require WAY less management and scripting/infrastructure to manage frequent rotation, and users will love you for it.

The next time your system admins insist on frequent rotating 12 char passwords tell them they are dumb, their idea is dumb and they should be ashamed of themselves.

Then send them this article.

Well, maybe just that last bit. Either way sec/ops and users working together can ensure a safer better secured future. Which is what we all want.

This, of course does not remove the benefits of 2-factor auth, which is powered by the tears of hackers, but that is a story for another day. One fight at a time.

Go forth and evangalise, Adventure awaits!