Passphrase Evangelism

The article Passwords: The Weakest Link references a 25 year old research work on the efficacy of passwords:

This is a companion discussion topic for the original blog entry at:

Good point, but be careful what you wish for g. When Laymen users start using sentences (aka passpharases) they pull from an active vocabulary of about 400 words. Constructing a grammatical dictionary attack seems quite feasible. It has been said before in one of the blogs (much more detailed and eloquent than my comment here - so credit to them), unfortunatly I don’t recall where.

The tagline anyway is right: Passwords are broken.
:slight_smile: stw

Constructing a grammatical dictionary attack seems quite feasible

I don’t agree that this is feasible at all, for a phrase of more than trivial length (eg, 5+ words).

However bad the phrase will be, it can’t be as bad as the same user picking a single word password, even with forced restrictions on things like word length and having a number/character in it.

Passwords are a fundamentally bad choice for security. I mean, what were they originally invented for, back in the mists of time? A few selected men spying on Caesar’s enemies, or fetching gold bars from the safe, or something like that.

Now we expect every Joe and Mary to remember 26 different passwords for their completely mundane computer work? That’s just ridiculous. Of course this won’t work, how could it ever? Typical example of taking the first and simplest solution that fits the computer, no matter how badly it fits the users.

We need to get away from this ancient, cumbersome, unsafe “technology” and move on to something sensible like biometrics, or at least a unified computerized security token. Microsoft Passport wasn’t a bad idea, really – if only it hadn’t been made by Microsoft (so everyone opposed it)!

move on to something sensible like biometrics

Biometrics is only slightly more secure than a password:

a href=""

Scroll down or find to…

“The UareU scanner is optical and probably wouldn’t know the difference, but I nonetheless decided to see if I could fool it with a gummi finger.”

“Ugly and bubble-y the jelly thumb was, but the UareU scanner loved it. It thought the jelly finger was a real one more than 50% of the time. And since you can attempt recognition about once a second, that means it’d be trivially easy to log in with a thing like this, even with people watching. Trim the jelly so it fits over the end of your real finger, and some very rudimentary prestidigitation will keep your fakery from the attention of onlookers.”

"Earlier this year, German tech mag c’t tested nine fingerprint scanners (six capacitive, two optical and one thermal), plus Panasonic’s Authenticam iris scanner, and Cognitec Systems’ FaceVACS-Logon face recognition system. All of the widgets tested were current models, and all came with impressive marketing claims.

And all of them, in layman’s terms, sucked, if used as the only source of identification."

We need to switch to a physical key device that can’t be easily duplicated. I should be able to put my “key” into the “lock” on my computer and “open” it. Pretty much just a USB-looking device with a long security key burnt into it should do. The biggest issue is with people losing keys. But this can be taken care of by having layers of administration. This would work best for enterprises.

In the military they use their CAC card in a smart card reader. Since the CAC (Common Access Card) card is also your id, you’re less likely to lose it. Then again, most enterprises don’t check your id 4 or 5 times before you get to sit down and use your computer to log in, so it’s unclear to me if this is the real solution we’re looking for.

Something like, say… this?

Close. Something more like a built in RFID reader and cheap RFID password cards. The computer manufacturer would send you a stack of them when you buy the computer or you can go buy a stack of 10 at Best Buy for about $5. You simply swipe/pass the card through/near the computer and you are in. You would keep your administrator card hidden somewhere in your house and use your card for the limited user login on a regular basis. The cards would also have the password number (say… 30+ random characters) printed on it so that it can be hand entered if the card goes bad.

It’s all very easy to imagine and what you have posted is very similar in concept. It just needs wider acceptance and needs to be much cheaper.

3-dimensional facial biometrics…


I wish more people read this.
Even the web access at my bank account doesn’t allow for more than 8 chars !
And if you look, most services on the web take 6 or 7 chars.
(Withoput event considering encryption…)
What are we supposed to do with that ?

@Chris Nahr:


The nice thing about single keys is that one only needs to steal the single key to gain access to everything.

The nice thing about it being a hardware key is that it’s a lot easier to steal.

The nice thing about a biometric key is that once it’s stolen, you can never change it.

Not to mention the question of how you’d want to link verification at your personal workstation to verification online without security, secrecy and privacy risks.

Old and primitive as the text password may be, atleast it’s hidden inside your head. It eliminates the avenue of “hacking” the key at the source.

Biometrics is actually a very, very bad idea.

The way to steal a biometric-locked Mercedes is to steal the owner’s thumb:

The Great Debates: Pass Phrases vs. Passwords

Part 1 of 3

Part 2 of 3

Part 3 of 3

Tim Cinel:

OpenID is great for centralized authentication to things like MySpace and Facebook, but it was never meant as a high-security auth-scheme for banks. For this, two-factor authentication is required. Banks just think what they are implementing today is two-factor, when it is really multiple single-factor (e.g. Bank of America’s SiteKey crap). And, it certainly doesn’t do anything to squash phishing.


Single Keys - Hopefully, when a hardware key is used, it is used in conjunction with something you know (2-factor auth). So, if it is stolen, who cares. A better solution is the key FOBs that generate a number that has to be entered in conjunction with your password. PayPal and eBay are doing this today for cheap ($5 for a FOB).

Biometrics - Not true. Biometric keys are stored as hashes and I believe they are different each time they are generated. So, if it was stolen somehow, you’d just need to re-generate the key. Otherwise, this form of identity verification would have been thrown away a long time ago. Again, multi-factor auth solves this problem as you’d use biometrics (something you are) with a password (something you know).

Passwords in head - Um… passwords are not just in your head. They are stored somewhere electronically which is why brute forcing exists. Said hacker gains access to a system somehow, steals the password database, uses tools to hack it. Actually, if a person has elevated access in a company and decides to turn evil, it’s easier than you think.

Just use a USB key with a bunch of randomly generated passwords. Back it up on a hard drive at home or two, and you’re good to go. Works well with firefox portable.

I use password generator that creates 32-character passwords… and they don’t work most of the time! Web apps tend to have stupid limits like 16, 18 or 24 characters and of course those MySQL-based won’t complain (and it’s really scary to see how many websites don’t hash passwords).

When you’re hashing passwords, there really isn’t a limitation on password length, because it is stored in the database as 32 (or 40, for SHA1) characters anyways. That way, your “password” can be up to several thousand characters with no sweat.

What about patterns on the keyboard? Seems like you just need a mnemonic to remember it and the result is very random since it’s very large - larger at least than the English vocabulary.

For instance, I start my banking pswd with the name of the company’s first letter then go from there. If I use a geometric pattern from that starting point (even linked to their logo :), then the issue becomes simply remembering the initial cue (the shape) rather than a long string past short-term memory limits (+/- 7).

The problem isn’t one of computation. It’s human memory. You have to solve it with memory chunking features.