Passwords vs Passphrases Which Is Better For Your Security

Health IS Technology Blog

Passwords vs Passphrases: Which Is Better For Your Cyber Security?


Calendar with Monday circled with "time to change password" written beside it
Do you dread receiving that email—maybe once every three or four months—informing you that your login password will expire in the next few days, and it’s time to change it? Maybe you received that email sooner because of your organization’s digital security policies. Either way, you wait till the absolute last minute to change your password, because you just got used to your current one and you just hate having to remember yet another obscure combination of numbers, letters, and symbols. With all the logins and online accounts you have, how can anyone remember all those different passwords? You’re not alone. Various studies on Americans and Cybersecurity have been conducted over the past years, and our human behavior toward online security has become more alarming. Here are some eye-opening statistics:

According to Gigya, 59% of people forget their passwords 1 – 5 times in a 12 month period. 

25% of people use less secure passwords because they are easier to remember, so says PewResearch

Pew Research also claims that 49% of people keep track of their passwords by writing them down on a piece of paper. 

47% of people use passwords that are older than five years, according to Entrepreneur

Further beyond that, 21% of people use passwords that are over 10 years old

And finally, according to SplashData, a few top passwords of 2018 were: 

  • 123456 
  • password 
  • qwerty 
  • football 
  • 1234567  

If you’re not shocked by any of these statistics, then you either work for IT, or you’re probably embarrassed because you might fit into one of the percentages above. Don’t worry. There are measures we can take to avoid being a statistic. 

Pass-Phrases

One way to remember long passwords with ease is to use pass-phrases. A pass-phrase is a sentence with a combination of letters, numbers, and symbols that is easier to remember.

List of passwords versus passphrases on graphic note-card

There is some debate that a pass-phrase is only slightly better than a long password especially under a brute force hack (a trial and error method of attack using various generated guesses or alphanumeric combinations). However from an end-user perspective, pass-phrases are easier to remember and could prevent people from having to write them down (or even place a sticky-note with it under their keyboards).

Here are some advantages of using pass-phrases:

  • More effective than simple passwords –Simple passwords are not secure and can easily be hacked. Pass-phrases may use some simple words, but the words are strung together in a sentence that increases the pass-phrases’ complexity and length.
  • Easily satisfies complex rules – If your organization imposes password complexity, then pass-phrases easily satisfy them through the use of punctuation, spaces, numbers, as well as upper and lower case letters.
  • More support – More and more operating systems and online applications are updating from only using passwords to supporting the use of pass-phrases.
  • Easier to remember – Complex passwords using letters, numbers, and symbols are hard to remember. It’s our human nature to take something complicated and make it easier for us, so we may write these complex passwords down or even use the same password but add one number or letter during quarterly password updates to create complexity and uniqueness. Pass-phrases can be a quote or a line from a song or movie (like “Bye Bye Miss American Pie” or “Drove My Chevy to the Levy!”). They are easier to remember yet provide enough complexity.

A Closer Look

Here’s an example. Let say your organization’s security policy is to have a login password with the following characteristics:

  • minimum of 10 character length
  • must contain at least one capital letter
  • must contain at least one number
  • must contain at least one symbol

For a password, you would use something like this:

Jackson$3404      (12 characters)

It meets all the requirements, but then you remember that the “jackson” part can be quickly discovered using a “dictionary” hack—a hack that tries to reveal passwords by running them through a large collection of dictionary words. These hacking programs know that a common password pattern is “dictionary word + symbol or one or two digits.” Now keep in mind that when hackers use dictionary attacks\hacks, it’s just a blind run through every possible dictionary word they have in their collection. There might be a concern that if they obtain your personal information (like birth date or your children’s first names), then it can make it easier to possibly crack your password, but that is more effort than most hackers care to give (unless you are a high profile target). Otherwise, a standard dictionary hack and brute force hack is sufficient to reveal most standard passwords. With all this in mind, you then change your password to this:

J8ck$on$3404

It’s a strong password, but that’s going to take time to remember, and once you’re able to recall it in your sleep, it will be time to change it.

For passwords like the one above, our human nature kicks in, and we often try to circumvent a rule as opposed to merely obeying it. I asked our Chief Information Security Officer here at USF about using such type of passwords, and he directed me to the National Institute of Standards and Technology website, which provides technical guidelines to government agencies regarding digital authentication implementation. Based on Digital Guideline publication 800-63B

“Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe…. Users often work around these restrictions in a way that is counterproductive.”

Simply stated, the password “J8ck$on$3404” will be hard to remember and most probably will either be written down or stored somewhere insecure (or may end up being changed by the user if all else fails).

A pass-phrase will look like this:

I jast 8 all the great bargers! 

The above has 31 characters (spaces and punctuation count), meets all the requirements, and reads as “I just ate all the great burgers,” (with the words “just” and “burgers” pronounced like how Steve Martin pronounces it in the 2006 reboot of The Pink Panther). This pass-phrase will be harder to crack since it is much longer (length is key), contains a combination of letters, numbers, and symbols, and contains a few words, like “jast” and “bargers,” that cannot be revealed using a dictionary hack. But the most important thing is that it is easier for a human being to remember this.

On The Horizon

According to USF’s Chief Information Security Officer and the Digital Guideline publication 800-63B, the direction in which passwords\pass-phrases are going will have open requirements like this:

  • no limit on the maximum number of characters
  • no complexity requirement
  • no age limit (passwords only change if compromised)
  • check against a list of known bad passwords (blacklisting use of “password” or “12345” as a password)

Our limited ability to remember complex passwords is not the only reason why we are moving to more simple requirements, but also that the trend is toward multi-factor authentication. This means that not only will you be using a pass-phrase for authentication, but also a secondary authentication method that works hand-in-hand with the first method.

Every organization employs security measures differently. USF uses DUO for accessing data-sensitive systems like GEMS and FAST. DUO is a Two-Factor Authentication (TFA) method of using password\pass-phrase authentication and cell phone call-back.  This is an excellent method in combating unauthorized use of your pass-phrase if you get hacked. This is how it works:

Diagram of two-factor authentication process

  1. When you log in, you will use a user ID and pass-phrase (for logging into your desktop or for the online application).  
  2. The authentication system (DUO) will call you or text you on your cell phone to verifying that you are the actual person logging in. It is only after the verification process that you are allowed to log in.
  3. It is only after the verification process that you are allowed to log in.

This way if a person hacks your pass-phrase, they still need your phone to gain access to your machine or your application site. DUO helps to make it even harder for hackers to get to your data.

In the future, biometrics like retina scanning or facial recognition might replace passwords altogether, or we might use them in conjunction with a pass-phrase. But until we can implement biometrics for every single device in use, we may have to fall back on pass-phrases. So go ahead and pick the chorus from your favorite song or even a funny line from your movie (“Prepare for ludicrous speed!”comes to mind). Pass-phrases are as secure as complicated passwords but far easier to remember.

USF Health Information Systems is a comprehensive technology group serving the needs of the Academic Research and Clinical missions. We partner with our customers to deliver agile responsive technology solutions that drive business value and make life better for our students and patients. Be informed at all times by visiting health.usf.edu/is/. You can connect directly via phone by calling (813) 974-6288 or by sending us an email via support@health.usf.edu, after hours.

#USFHealthIS

Bob Varghese
Visit this author's
department:

USF Health

About

Bob Varghese is a Technology and Systems Analyst for Information Technology at the University of South Florida.