Fantasy Advice: Passphrases
Per the current trend, I’ve been advising people to use passphrases not passwords. Although, there is room to debate if this is really the best strategy, lets assume for a moment that it is the superior method. Do the websites most people use actually make it possible to use long multiple word passwords or have we been giving advice that is untenable for most users?
tl;dr — It’s good advice if your audience sticks to popular websites like Google, FB, LinkedIn, Reddit, Wikipedia and Twitter. Unlikely to be good advice if you are advising someone with a bank account or who needs to sign up for healthcare through the US government.
Setting the bar
If you haven’t figured it out yet, a lot of people think you should stop using single word passwords mixed with character substitution and some extra symbols thrown on. Instead, randomly select a handful of random words, ideally using a method like Diceware. The idea is that you will wind up with something longer but actually easier to remember.
The average English word is 5.1 characters long or 4.2 if you use Diceware. Depending on if you decide to separate each word with a space, that gives a range of 4.2–6.1 characters per word. If you follow Diceware creator, Arnold Reinhold’s, advice then your passphrase should be at least 6 words long, or about 25–37 characters.
The below details how different websites fare when set against this standard.
Google, Facebook, LinkedIn, Reddit, Wikipedia, and Twitter all allow for passwords of seemingly unlimited length. Furthermore, they don’t require special characters or numbers which can make passphrases harder to remember. That said, LinkedIn does rate passphrases as “medium” if they do not contain extra characters, although it will still allow it. Wikipedia allows passwords that are only one character long, but that is a different issue all together.
Amazon, Netflix, and eBay are also relatively good players and allow passwords up to 128, 60, and 64 characters respectively. They also require at least one number or special character, which can be annoying.
Yahoo, also barely passes the test. Although it only allows up to 32 characters, it does not enforce special symbols are digits.
Chase Bank, Capital One and Sallie Mae all allow up to 32 characters. Unlike Yahoo, they also have additional requirements of special characters, uppercase, lowercase, and/or digits. Combined with the fact that 32 characters is on the edge of the acceptable length, it wouldn’t be fair to pretend you can use passphrases as is traditionally recommended on these sites.
Bank of America, Healthcare.gov, and Live.com allow up to 20, 20, and 16 characters respectively. At 16 characters, you can barely input 4 words!
I’m not trying to argue that passphrases are the best method. I’m also not trying to condemn any website for requiring special characters. This is simply an effort to point out that the advice many people, myself included, give is often not compatible with the actual tools that are used. Especially considering the fact that some of the least compliant sites are run by banks and the government, we either need to pressure those institutions to update their policies or develop more realistic standards.