Cyber security: use passphrases
Aug 9, 2016 · 3 min read

Passwords are an undeniable part of our cyber life, whether for checking our emails, bank account or just logging in our Facebook page. They are a real open door to our private life. Unfortunately, with the improvement of phishing techniques, they are incredibly easy to crack. Luckily, there is an alternative to maximize personal data protection: passphrases.

What’s a passphrase?

A passphrase is a sequence of words between 20 and 30 characters long contrary to passwords that are made up of 8 to 10 characters.

Why should we use passphrases?

To be considered as strong, a password has to be long and include plenty of characters of any type such as numbers, punctuation marks or capital letters. With a different password for each account, it becomes necessary to have a writing pad or a password manager to remember them all, a solution which is not risk-free knowing how ingenious hackers can be.

No matter its length, the passphrase is easily remembered thanks to mnemotechnic ways. It also has a superior resistance to cracking attempts as shown in this Randall Munroe’s comic strip. Moreover, according to a recent Smashing Magazine study, in case of a brute-force attack with a standard PC, a complex 8 characters password — tU.w@b3e — would be found in two years. Another example, an ordinary sentence like “thisisasimplephrase” would take three billion years to be cracked!

How to optimize a passphrase?

The passphrase’s strength depends on several criteria, the first one undoubtedly being its length. The longer it will be, the more resistant it will be to Brute-Force attacks or Dictionary attacks.

There are just a few conditions:

Need inspiration? Let’s take an example: unicorncoffeemondaytable. The combination of these words makes no sense but with a little imagination, it is fairly easy to keep it in mind by repeating this sentence: “Last monday, I saw a unicorn drinking coffee on a table”.

It is also recommended to complicate the passphrase using capital letters, spaces, symbols, misspellings or numbers. This addition strengthens its security without compromising its memorization.

When you create a password, there’s an unavoidable choice to make between security and usability. It is not the case with passphrases that are both a solid and user-friendly protection. These two solutions could however live their last months since the World Wide Web Consortium is setting up a group called Web Authentification Working Group whose aim for the coming year is to create a new authentication system based on the device used. Wait and see!

Written by

French self-managed worker cooperative. Creators of @ApiPlatform and Symfony contributors. PHP, Javascript & eCommerce consultants and web developers.