Passphrase Best Practices

Check out xkcd’s xkpasswd. It allows you to generate very secure passphrases with various configurations.

The reason we use the word passphrase and not password throughout the Cacti Vault app is because we want to push you to use as long a passphrase as possible.

• The US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember and difficult to crack. According to Special Publication 800–63, Digital Identity Guidelines, a best practice is to generate passphrases of about 64 characters, including spaces. Cacti allows you to enter a passphrase that’s at most 256 characters long.
• Cacti allows you to use spaces in your passphrase in addition to a huge array of special characters. Please be encouraged to type out a sentence or a phrase that’s long with many words. Try not to use commonly known phrases. Use a sentence/phrase that you come up with, with a story to remember in your mind.
• We recommend using a passphrase that is at least 6 words in length. You can use spaces in between words, or choose to add hyphens or any other special characters. You may choose not to add a separator between words.
• Do not repeat your passphrases on different services. If you use the same passphrase in different services, an attacker may be able to gain access to all your services just by breaking into the weakest service.
• Do not derive your passphrase from personal details about yourself or your friends and family. No birthdates, no anniversaries, or names of your significant others.

There’s an xkcd comic for everything.

Link to the xkcd comic.

How to Choose a Secure Passphrase?

Whenever you are choosing a passphrase, consider 2 broad types of possible attacks.

1. Social Engineering Attack
2. Brute-Force Attack

Social engineering attacks employ various techniques to guess what your passphrase specifically may be. An attacker may research you online, find out about your history, your relationships, where you work, what you studied, where you went to school, etc. to guess your passphrase.

The way to prevent yourself from such attacks is to use a passphrase that is not derived from any personal details of you or your friends and family.

More simply, the attacker may just use a list of over a million commonly used passphrases and try to crack your passphrase. A survey conducted in 2016 showed that the 25 most common passwords made up more than 10% of the surveyed passwords, with the most common password of 2016, “123456”, making up 4%.

You should not be using any of the top commonly used passphrases in the world, Cacti will warn you if a passphrase you entered is among the top 100,000 passwords used in the world.

Brute force attacks are conducted when you have not used a common passphrase (good on you!), nor has the attacker been able to socially obtain your passphrase. The attacker would then use a computer program to generate all possible combinations of passphrases and test each one. If you use a short passphrase of 6 characters or so, an attacker may be able to break your passphrase within a few days with access to a powerful compute resource.

You should be using longer passphrases. 64 characters is considered a safe length for a passphrase currently. If you can’t do that, use as long a passphrase as you can. The longer your passphrase is, the exponentially longer it takes for the attacker to break your passphrase.

Example

Warning: Do not use the passphrases given in this example.

Consider the following Passphrase:

&&89 clock TRIP afraid STATION name DIVIDE 42&&
Length: 47 characters
Entropy: 256 bits to 571 bits blind and 83 bits with full knowledge (Higher the better)

Alternates
clock/trip/afraid/station/name/divide
clock-TRIP-afraid-STATION-name-DIVIDE

• You can remember this by making up a story in your head that links these words together.
• You can also remember modifiers like upper case and lower case rules that you make up.
• You may choose one or more separators between words as you wish.
• You may choose to add padding characters or number in the beginning or end of the word chain.

Since passphrases generated in this method

• are long enough make brute-force attacks impractical,
• are not common,
• will ideally not be derived from personal details about your life,

they are considered to be extremely secure.

Check out xkcd’s xkpasswd. It allows you to generate very secure passphrases with various configurations.

References

• Summary of the latest NIST guidelines for digital identity
• The whole NIST guidelines for digital identity | GitHub
• Time article on 2016’s 25 worst passwords that should never be used.

Please contact us if you have any questions, suggestions, or feedback. You may contact us in the following ways.

• Head over to cacti.ai/contact
• Write to us at hello@cacti.ai