Passphrase or autogenerated password?
I have always been fascinated by the number of posts on various blogs with an article that is supposed to be about deciding between several options, and that after several paragraphs with little or no information, the conclusion is “it depends”. To avoid reading too much with the expectation that there is a winner, I will say that there is not, but now that we know the outcome, we are going to justify it.
What is this Passphrase?
You may have heard (or read) about “passphrase” or “Password Phrases” for some time, but it’s just a password like any other; the difference is that it is made up of words that can form a sentence (or something similar), and they usually follow the structure of word1-word2-word3-word4-word5. An example created with an automatic generator might be “resigned-relic-repaint-dork-imprison”, but we can actually choose as many words as we want (and as many as we want).
So a “passphrase” is just another password.
Are they as secure as “traditional” passwords?
Again, it depends. In this case, since they are generally words, it varies depending on the number of words we use and their length. For example, using “car-dog” is not the same as using “resigned-relic-repaint-dork-imprison” above.
But with a minimum of 4-5 words, about 4-5 letters per word, we can say that they are as or more secure than traditional passwords.
The “false myth” of using a combination of characters (numbers, letters, symbols…)
Although it is true that a password with a variety of characters will generally be more secure, it depends a lot on how we combine them (h5?d2/=3&8 is not the same as P45$w0r6), but above all on the entropy.
We will not go into detail what entropy is or how it is calculated, but in summary we can say that it would be how complex is the combination of characters that we use based on the number of combinations that these characters allow.
For example, if we use only numbers, with 4 digits in length, we have 10,000 combinations (from 0000 to 9999). On the other hand, if instead of numbers we use letters (only upper or lower case, without mixing), the possible combinations increase to 456,976, using only 4 characters (from aaaa to zzzz). Although they may seem like many, a current computer, no matter how crappy it may be, can perform all these combinations in just a few seconds (or even tenths of a second).
What entropy measures is that complexity, assigning a value; if that value is above 80, we can say that our password is acceptable.
As a guide, a password with an entropy of 80 using a combination of uppercase and lowercase letters would take about 1,056,931,425,538,817,434,583,040 attempts to crack; an entropy of 80, combining all types, 8,871,870,642,308,849,722,195,968. From there, the higher that number, the better.
We can calculate the entropy of our password in Password Strength/Entropy Calculator, where it is not necessary to enter the password, but it will be enough to indicate the length and the combination of characters we use.
So when to use one or the other?
Here comes the quid.
As a personal preference, and because I use a password manager, all my passwords are auto-generated “standard”, and I use only one passphrase as the master password to access my password vault. The reason for using “standard” passwords for everything else is that many websites require that combination of numbers, uppercase and lowercase letters, and special characters, so the easiest thing to do is to auto-generate these types of passwords. Why use a passphrase as a master password is very simple, and let’s see it with an example.
If we rely on the “best practice” of creating a password that is as varied as possible, but long enough to be secure, let’s say 16 characters, we would have something like this:
And using a 3-word passphrase, using ‘-’ as a separator, and with the first letter being capitalized, we would have something like:
The first password, 16 characters, with uppercase and lowercase letters, numbers, and symbols, gives us an approximate entropy of 100.
The second, 4 words (33 characters) passphrase, approximately 80. If we “paraphrase” we can turn it into something like:
Eating macaroni riding a bike is dangerous
Generating an approximate entropy of 120.
Entropy aside, I think it’s not hard to figure out which one is easier to remember. Although the second is apparently easier to decipher for us, supposedly rational beings, it is more complex for a “brute force” computer. And even if it is much longer, as soon as we have written it a few times, and thanks in part also to “Muscular Memory”, we will be able to remember and write it without problems.
Passphrase as master password, “traditional” for the others
As a summary we can say that, as a personal preference, it is best, on the one hand, to use a password manager (must), it is the easiest and fastest way to manage all our passwords. On the other hand, use a passphrase long enough (about 25 characters) as the master password, and the others that are standard auto-generated by our password manager, preferably of at least 16 characters with combinations of all.
Here are some related resources in case they can be useful to you:
About Toni Llull
Graduated in Computer Engineering from the Facultat d'Informàtica de Barcelona - Universitat Politècnica de Catalunya (FIB-UPC), I've been 6 years in Sogeti, developing positions such as testing engineer, developer, DevOps or Team Lead. Fan of technology since I was a child, I have always been interested in learning new things and discovering what technology can offer us. A sports fan, especially triathlon, I believe that combining what you learn from sport helps you improve as a professional, and vice versa. I like to share with others my knowledge and points of view about the topics I like, because they help me to keep growing as a person.
More on Toni Llull.