Rise of the passphrase

Long passwords are as hard to crack as complex ones; people are also less likely to forget them


WASHINGTON • People tend to hate computer passwords - those often nonsensical jumbles of letters, numbers and special keystrokes said to be essential for digital security. The secret codes seem impossible to remember. It's why every login page has a "Forgot password?" life preserver.

The struggle even has a name: Password rage.

Now, a new standard is emerging for passwords, backed by a growing number of businesses and government agencies. No longer must passwords be changed so often, or include an incomprehensible string of special characters.

The new direction is one that champions less complexity in favour of length. Passwords that once looked like this: W@5hPo5t!, can now be this: mycatlikesreadinggarfieldinthewashingtonpost.

Requiring longer passwords, known as passphrases, usually 16 to 64 characters long, is increasingly seen as a potential escape route from our painful push towards logins that only a cryptographer could love.

A series of studies from Carnegie Mellon University confirmed that passphrases are just as good at online security because hacking programs are thrown off by length nearly as easily as randomness.

Experts caution against using popular song lyrics or poetry lines in passphrases. So no Beyonce or Wallace Stevens. Hackers can download libraries of information to try common phrases.

To a computer, poetry or simple sentences can be just as hard to crack. Even better: People are less likely to forget them.

"You're definitely seeing more of it," said Ms Michelle Mazurek, one of the Carnegie Mellon researchers, now at the University of Maryland College Park. "For equivalent amounts of security, longer tends to be more useful for people."

One sign of change came this year from the federal agency overseeing government computer policy.

The National Institute for Standards and Technology (NIST) issued draft recommendations that called for a password overhaul - encouraging longer passwords and ending the practice of forcing new ones every 60 or 90 days.

"Passphrases are much harder to crack and break, and much easier to remember," said Mr Paul Grassi, an NIST senior adviser. It was an acknowledgment that current password practices are a pain. Passwords today are "completely unusable", Mr Grassi said. "Users forget, which creates all sorts of cyber-security problems, like (having to) write them down or reuse them."

The demand for simpler passwords has grown along with the share of time spent online, where hard-to-recall codes restrict access not only to work and school e-mail, but also to shopping, playing games, managing health claims and finding recipes.

The average person has 19 to 25 different online passwords, polls have shown.

But the change to simpler password protocols remains slow. When Ms Lorrie Cranor joined the Federal Trade Commission as chief technologist in January, she was stunned to learn that six of her government passwords came with automatic expirations.

A couple of months later, she had whittled that list down to four.

Mr Guillaume Ross, senior consultant at computer security firm Rapid7, said businesses are often forced to adopt at a slower pace new password policies because of legacy computers.

"On those systems, it's really hard for a security group to support long passwords," Mr Ross said. Still, he tells clients to focus on password length when beefing up security rather than any other variable.

In the meantime, experts caution against using popular song lyrics or poetry lines in passphrases. So no Beyonce or Wallace Stevens. Hackers can download libraries of information to try common phrases.


A version of this article appeared in the print edition of The Straits Times on August 13, 2016, with the headline 'Rise of the passphrase'. Print Edition | Subscribe