An easier-to-remember alternative to passwords, passphrases are a sequence of random words that should provide more security than a password because of the longer string of characters. Recent research has found, however, that passphrases often mimic naturally occurring language making them not as secure as once thought.
In a recent study, titled Linguistic properties of multi-word passphrases, two computer scientists from Cambridge University found that they were able to guess, or crack, 1.13 percent of passphrases taken from a large sample using a set of 20,656 phrases mimicking movie titles, sports teams, celebrity names and other proper nouns. Passphrases such as “three dog night” and “boston red sox” were repeated for a noticeable portion of the population.
In this particular study the passphrases came from Amazon’s PayPhrase system, which was just discontinued in February, where consumers could confirm and make a purchase by providing their passphrase and PIN. The study found that two-word passphrases provided 20.8 bits of protection, meaning that the chance a single guess could crack the passphrase is one in 220.8. By comparison, the National Institute of Standards and Technology (NIST) estimates that an eight-character password with mixed case, numbers and symbols provides 30 bits of protection.
Consumers, however, tend to choose weak passwords and without password policies in place few will create passwords this strong. The passphrase study references a prior academic study using a dataset of passwords compromised in a hack, and based on the actual passwords used they provided only 16.4 bits of protection. In the passphrase study 20,656 passphrases covered 1.13 percent of users whereas in the prior academic study 20,656 words would cover 26.3 percent of all the passwords used. Passphrases are still more difficult to crack than a password, but like passwords there needs to be policies in place to prevent consumers from using weak or common use passphrases.
For more information: