Are long passphrases the answer to password problems?

NIST's relatively new password recommendations, which includes not using long and complex passwords that are frequently changed, are turning the computer security world on its head. Many security practitioners simply refuse to believe the new advice.

I get it.

The new advice overturns decades of previous advice, from the same organization that that told us to trust the last 180-degree different advice, no less.

But times change. Hacking methods change. What used to stop the day's most popular attacks no longer works quite as well. It should be expected that attackers moved on to other, more successful methods once passwords started to get harder to crack. Or are they?

Kevin Mitnick, chief hacking officer for KnowBe4, Inc. (my full-time employer) kills that supposed fact with his latest video. In it, he cracks a 17-character, complex password in 31 seconds. Because of this, Mitnick recommends using simple, long passphrases (also known as "PassSentences") 25 characters or more, something like, "I like to go to the beach to get wet." Kevin also recommends using a good password manager to manage your passphrases.

It's good, sound advice. I agree with most of it. The only part I'm not sure about is the 25-character-minimum requirement. The reason is that while using 25-character or longer passwords might make password cracking (i.e., password hash cracking and password guessing) harder to pull off, it increases the risk that users will reuse the same password across different security domains, which is what NIST's latest advice is trying to prevent. NIST sees password reuse as one of the biggest, if not the biggest, risk to using passwords.

Are passphrases harder to crack than passwords?

Implicit in the recommendation of using longer passwords (or passphrases) is the idea that increasing length provides protection. It does–in theory–but just as password complexity fails between theory and practice, so, too, does the protective capabilities of length, although to a lesser extent.

Complexity requirements fail because even though you can require complex passwords, human-picked passwords tend not to be so complex in real-life. For example, even though we are free to pick among 94 different characters on the keyboard (and in some cases over 65,000 different characters), most people use the same 32 characters, and the average password is commonly constructed.

Most "complex" English passwords begin with an uppercase consonant, followed by a lowercase vowel, and if a number is required, it's a 1 or a 2 placed at the end. If special characters are used, they’re likely to be a ! or @ or # or $. Some derivation of that password will be used across multiple security domains and only be slightly different between forced password changes on the same site (e.g., Tadpole1, Tadpole2). Password experts consider most human-chosen complex passwords to have low entropy (entropy is a measure of randomness). Password crackers know this issue well and use it to crack passwords faster.

Unless your password is truly random--meaning in most cases that a random character-picking program creates your password–the chosen complexity really doesn't add much cracking difficulty to the password. If you do have to use a truly random password, who wants to enter in a password like Qz&y1$Bh all the time?

The lack of true randomness in human-based chosen complex passwords led many computer security experts to recommend very long passwords, which are very hard to remember. This led other experts to recommend easier-to-remember, even longer, more "natural" passphrases. They certainly will defeat today's password crackers, and that's a good thing.

Just two problems.

First, we still don't know at what length a longer password starts to cause more problems than it solves, and that's a major issue. The whole reason NIST isn't recommending requiring very long passwords is they have the data to show that the longer the passwords are, the more likely they are to be reused.

Second, if the whole world moves to "more secure" passphrases, we might be back in the same spot where we started, but now we are requiring users to create insanely long passphrases. Let me explain.

Long passphrases are not really high entropy for a lot of the same reasons complex passwords are not high entropy. People like passwords that look like natural words and passphrases that look like natural sentences. Because they do, it lowers the randomness. Many would have you believe that a long passphrase like, "I like to go to the beach to get wet" is a great, protective password.

The problem is that most humans, if allowed to pick their passphrases, will use many of the same words and a common sentence structure, thereby negating much of the advantages of going to a longer passphrase. Most humans have a working vocabulary of 10,000 to 20,000 words but use a far smaller number when writing. The average published book uses fewer than 3,000 unique words.

I did a word count on my latest book, A Data-Driven Computer Security Defense. Even though it contains over 240 pages and 54,000 words, it has just 4,754 unique words.

If the average book author uses more words than the average non-author, then most humans would probably compose passphrases using a much smaller list of words, perhaps just 1,000 to 2,000 unique words. This creates a big entropy advantage for password crackers that switched from using characters to words.

There are a lot of articles on password versus passphrase entropy on the internet, but here are some of my favorites:

• Password strength/entropy: Characters vs. words
• Multi-word passphrases not all that secure, says Cambridge University
• Entropy in written English

The first link is my favorite. Here's the money quote: "To have 80 bits of security [i.e., entropy], a password needs about 13 characters while a passphrase only needs about five words! However, a passphrase chosen out of 10,000 words needs seven words to have the same strength."

Imagine how many passphrases begin with the word "the" or have the words "the", "that", or "of" in them? So, to have a passphrase equal in strength to a 13-character password would require at least 7 words, but that's only if the user has a 10,000-word working vocabulary that they actively use for their passphrases.

A user's passphrase working words list is probably closer to a few thousand words, meaning that they would need to have a much longer passphrase to get the same protection. How long? I haven't worked out the entropy calculation, but it's probably closer to 15 to 20 words, and I don't see users loving that sort of requirement. Unless your passphrase is randomly generated, it doesn't protect much more than a non-random password.

A few word-guessing password crackers are currently available, and if the world started using passphrases, the rest will convert. Instead of testing out the same 32 characters in more varying combinations, they will use 2,000 words in less varying combinations.

Some experts suggest fixing all those problems by using a password manager that creates and uses randomly generated long and complex passwords/passphrases. Let password managers do all the hard work.

The problem with password managers

The biggest issue with password managers is the single-sign-on (SSO) risk that we've been fighting for decades. Once you begin putting all your passwords in one place, that's where the bad guys will attack. We already have websites and malware that search computers for password manager databases.

Some password managers store the passwords online in the cloud, to help users synchronize their passwords across multiple devices. It's nice, but now my passwords are in the cloud where they can be hacked without me knowing about it. One compromise of an online password manager compromises all passwords. This has already happened. Just type in "password manager hacked" into Google and enjoy.

It's not just that password managers are really SSO apps that can be hacked. I've yet to find the password manager that works across all applications, websites and devices. This means that you still have to figure out how to securely store the (long) passwords that your password manager can't handle.

Legacy password requirements a barrier to using passphrases

Did I mention that many websites and services don't like long passwords? For example, Microsoft Office 365 won't accept passwords longer than 15 characters. Many operating systems won't accept long passwords. Microsoft Windows, in its default state, won't allow an admin to enforce a minimum password size larger than 16 characters unless they use an advanced feature that isn't implemented in most environments.

Good luck trying to use that simple, non-complex passphrase. Many websites won't let you create a password of any size unless it includes complexity. So, if your personal mantra is to use long passphrases and you are forced to use complexity, you end up with a long passphrase with complexity, which no one thinks will work in the real world. In reality, on sites that don't allow long passwords you end up with both shorter and longer passwords with and without complexity.

Let's not forget that many sites force you change that password every 90 days or less. So, every 90 days you have to come up with a new, long, unique passphrase. Yeah, good luck with that. I see a lot of passphrases like, "I like to go to the beach to get wet", "I like to go to the Beach 2 get wet", and "I like to go to the lake to get wet2". We end up in the same place we were with passwords but with more characters to remember across multiple mechanisms despite your best efforts.

Then there's the chance that your long password/passphrase is being truncated without you knowing it. Many sites will look like they accepted your longer password/passphrase, but they truncate it because they have some maximum size they will accept. While you think you're getting the security of a very long password, what is accepted, without any error, is a much shorter version. If the attacker is allowed to guess your password without an account lockout throttling or gets your password hash, they can crack it far easier than you think.

It actually gets worse. Most websites allow your account to be taken over by answering a few password reset questions. These are hideously insecure. Research from Google shows that even legitimate users of the accounts aren't great at remembering what they put in for answers just weeks after putting them in. Google also says something like 60 percent of your password reset answers can be found on the internet by hackers. Password reset questions allow your account to go from being protected by something a little secure (e.g., passwords, 2FA) to something not at all secure. Password reset questions should be outlawed!

This is what NIST was talking about all along. If password cracking was your only threat, we'd all just increase the length of our passwords and go on with life. But passwords are under assault from all sorts of threats, most of which are not related to cracking. There isn't much overall protection given by increasing your password length, and at some number of characters, it just makes things worse.

The problem is that passwords, in any form, are just inconvenient for humans to use, especially if they have to memorize them. Password reset questions and authentication methods where users log on by selecting a pattern of dots are far, far worse. There is no easy answer to how to make passwords resistant to the most likely password attacks. It hasn't been done in over three decades and will never be done.

More on passwords:

• The password hall of shame (and 10 tips for better password security)
• 12 famous passwords used through the ages
• I can get and crack your password hashes from email
• Using a password manager: 7 pros and cons
• 4 common password security myths