password vs passphrase

[Susan]

Option 1: passphase -> 15 or more character phrase
Option 2: password -> 12 to 14 characters (upper & lower
case, numbers and symbols)

Which is more secure? Which is hard to hack?

 

[Miha Pihler]

Hi,

it still depends on what password is and what pass phrase is...

e.g. my password could be "P@assw0rd1234", would you consider this secure
password? It has upper and lower chars and it has numbers in it...

again you could have "pass phrase" "aaa bbb ccc ddd eee etc"

The other down side is, they are stored as LM Hash (by default for any
password shorter then 14 characters) and as such vulnerable to cracking
using tools such as @Stake, etc....

Personally, I use pass phrases... There are harder attacked by dictionaries
and they are not stored as LM Hash (longer then 15 characters)

Mike

 

[Laura E. Hunter \(MVP\)]

Mark Minasi had an interesting take on this at the Security Roadshow this
spring. I'll do my best to paraphrase: (Forgive me if I miss a niggling
detail or three - I think the full slide deck is up on www.minasi.com.)

A 15+ character passphrase has some good things going for it. Even if an
attacker's machine could attempt thousands of passwords every minute, it
would take something like 600 NONILLION years to cycle through all possible
15-letter passphrase combinations, even if the letters are all in
lower-case. Which gives you a legitimate possibility of eliminating account
lockout policies that 90% of the time serve no other purpose than to annoy
your users.

It's also easier for your users to remember a long PHRASE than somehow
expecting them to come up with an 11-letter WORD and intersperse it with % ^
@ $ ! characters or whatever. Compare the following:

Password: Ant!d!se$s+abli$hm3n+ar!an!$m.

Passphrase: igreatlyenjoyrivetswithmymorningpancakes

Which one is better? A user is going to have to THINK about typing in the
former. Probably every single time they have do it. Which will lead to
mis-typing and account lockouts and other annoyances. Whereas the latter is
really easy to remember, since it's -English.-

The drawback to a passphrase is that some down-level systems won't support
them - they're stuck in the LM-Hash compatibility world and can't handle
anything longer than 14 characters. So it's something that you need to test
before you mandate it across the board.

 

[Joe Richards [MVP]]

Anything larger than 15 characters SHOULD be harder to hack. However if someone
used a bad password/phrase with all dictionary words, they may successfully
reduce the security of their password/phrase.

 

[Steven L Umbach]

While it is good to use complex passwords and either of those could be considered
secure, particularly if storing of lm hashes can be disabled keep in mind that many
attacks involve "resetting" the built in admin password to a computer that requires
physical access to it which can be done in less than five minutes if the user has
needed access. So use password complexity and a account lockout policy with a
threshold of no less than ten attempts [to deter brute force attacks AND notify you
of] along with good physical security of sensitive computers. --- Steve

 

[oops_there_it_is]

Mark Minasi had an interesting take on this at the Security Roadshow this
spring. I'll do my best to paraphrase: (Forgive me if I miss a niggling
detail or three - I think the full slide deck is up on www.minasi.com.)

A 15+ character passphrase has some good things going for it. Even if an
attacker's machine could attempt thousands of passwords every minute, it
would take something like 600 NONILLION years to cycle through all possible
15-letter passphrase combinations, even if the letters are all in
lower-case. Which gives you a legitimate possibility of eliminating account
lockout policies that 90% of the time serve no other purpose than to annoy
your users.

It's also easier for your users to remember a long PHRASE than somehow
expecting them to come up with an 11-letter WORD and intersperse it with % ^
@ $ ! characters or whatever. Compare the following:

Password: Ant!d!se$s+abli$hm3n+ar!an!$m.

Passphrase: igreatlyenjoyrivetswithmymorningpancakes

Which one is better? A user is going to have to THINK about typing in the
former. Probably every single time they have do it. Which will lead to
mis-typing and account lockouts and other annoyances. Whereas the latter is
really easy to remember, since it's -English.-

The drawback to a passphrase is that some down-level systems won't support
them - they're stuck in the LM-Hash compatibility world and can't handle
anything longer than 14 characters. So it's something that you need to test
before you mandate it across the board.

Oh give it up, spend a couple hundred bucks for a smart card system
and forget about it. LOTS OF LAUGHTER>