The case for passphrases
At first, there was password.
Then it was complexity password. They told us to use capitals, numbers, and symbols.
And now we are telling you to forget all that. Think in terms of passphrases.
Here are some examples of passphrases:
'oooo comfortable chair'
'mmm chocolate donuts'
'you can never guess this'
When you actually type in the passphrases, you should include the spaces since white spaces are supported by most password systems.
At first glance, the passphrases seem ridiculously long, so why should you use them?
Because passphrases are long but very easy to remember, and they are very fast to type in. Complex passwords have a very bad nature of being abnormal and user unfriendly. P!nc0138 is not only slow to type, it is also very hard to remember. For a passphrase to be considered effective, it should be at least 15 characters long, which shouldn't be hard at all, counting all the spaces.
From the security point of view, to break your password, an attacker will have to either figure out what your password is or attack the actually encryption algorithm itself. Modern encryption algorithms have no known flaw. So the only choice left is to brutal force them. (aaaaaaa, aaaaaab, aaaaaac and so on.)
To prove that complex passwords' weakness only requires simple math. Complex passwords, shown above, usually have around 8 characters, assuming you use the recommendation and incorporate lower case letters, upper case letters, numbers and symbols, that is a total of:
26 (upper case letters) + 26 (lower case letters) + 10 (numbers) + 10 (common symbols) + 22 (signs) = 94 characters.
That means there can be 92 different possibilities for each character of the password itself. So to crack the password using brutal force technique, it will be 92 to the 8th power, 92^8 = 6095689385410816
Now let's examine the case for passphrases. There are 22 characters in the example of 'oooo comfortable chair'. (don't forget to count the spaces) The weakest passphrase scenario will be assuming that only lower cases letters are used.
So it will be 26 ^ 22 = 13471428653161560586981973426176
If an attacker has a super powerful computer that can try 40 billion chances per second. The equation for brutal force the password will be:
Total possibility / 40 billion tries per second / 60 seconds in a minute / 60 minutes in an hour / 24 hours in a day / 365 days in a year.
With your complex password, the attacker will break your password in 0.04 years or about 14 days. (go ahead, do the math)
If you use passphrase as we have suggested, it will take an attacker 106794050078969.75 years to complete the task, assuming the undead knows how to use a computer.
So in this simple explanation, we have demonstrated the strength of passphrases. Complexity passwords requiring numbers and symbols only increase the possibilities per character in a password, much weaker comparing to increasing the power value. Now here is a method that can even strengthen your passphrases further: if you can type in your passphrases like a sentence, for example 'I finally get it now!', with the capital and the sign, that will make passphrases even more effective and will still be easy to remember. According to field tests, our clients have no problem accepting this solution.
Of course, do not use the above examples as your passphrase.
