Choosing a good passphrase

[Note. This is a slightly modified version of an article that originally appeared in the February 2005 issue of Archive magazine.]

Every encryption program requires a passphrase to protect the encrypted data. Since the commonly used modern ciphers are extremely secure, being resistant to all known methods of cryptanalysis, the passphrase is usually the most vulnerable part of any encryption procedure. It is therefore important to choose 'strong' passphrases.

Why do we speak of a 'passphrase' instead of a 'password'?

When many people are asked to choose a password, they select some common word or name. This can be cracked easily by a 'dictionary attack', i.e. a computer program that uses a dictionary to try all possibilities. Many such programs exist. They are sometimes used by people who have forgotten their own password. But a password that can be recovered in this way is weak. It can be recovered just as easily by anyone else, who can then gain access to the user's encrypted data, online banking details, etc.

A somewhat stronger type of 'password' is one which is not a real word, and perhaps even includes some numbers or other special symbols, if these are allowed by the software or the website that you are using. Although this is safe from a classical dictionary attack, it can be cracked by a 'brute-force attack', i.e. a program that simply tries all possible sets of characters until it finds the right combination. Of course, the longer the password, the more difficult such an attack becomes. Suppose, for example, that 50 different characters are allowed in the password. Then if you add one extra character to an existing password, a brute-force search for the correct password would be expected to take 50 times as long.

Some Unix systems, for example, accept logon passwords of up to eight characters. Logon passwords for some ISPs are similar. Unfortunately, such passwords are rather weak and are easily attacked. You should certainly use longer passwords if a system allows this.

Documents for some encryption software, such as PGP and GnuPG, always speak of passphrases, rather than passwords, in order to stress that they can be of any reasonable length, consisting of many words or groups of characters, separated (optionally) by spaces.

How strong should a passphrase be?

The passphrase is by far the weakest part of many encryption systems, at least for many users, who use a weak passphrase in practice. If an attacker wants to gain access to a typical user's encrypted data, it would be far more efficient to try to crack the passphrase than to attempt any real cryptanalysis. This is why it is very important to choose a good passphrase.

Even for powerful organisations like government agencies with huge computing resources, it would be most cost-effective to try to crack the passphrase. It is often said that the simplest technique for gaining access to encrypted data is the 'rubber-hose attack' (beating the victim, or using other methods of torture, until the passphrase is revealed). Another such technique is to plant an electronic bug or a hidden program in the user's computer, to capture all the keystrokes. Alternatively, even without any physical access to a computer or its user, a serious attacker can monitor, from a distance, the electronic emissions from the computer and thereby record the passphrase. This is known as a 'Tempest attack'. It's not easy to guard against any of these possible attacks. But you probably do not need to worry about them, unless you are a serious target of government investigations, or if you live under an oppressive regime.

It makes sense to choose a passphrase which is equal in strength to the cryptosystem being used, since any such system is only as strong as its weakest link. This article explains some simple tricks which can help to achieve that goal.

Choosing a strong passphrase

In general terms, the aim should be to create a passphrase that is easy to remember and to type when needed, but very hard for anyone else to guess, even for someone who knows you well. It should also be long enough to make any dictionary attack or brute-force attack impractical.

One well known method is to select, by some random process, a set of words from a dictionary. This technique is sometimes called 'diceware'. This method is implemented by a RISC OS program !RNDpass by Tony Hopstaken, which is available from this website.

With a dictionary as large as the one included in !RNDpass, a passphrase consisting of 8 or more random words is likely to withstand any conceivable attack, because of the enormous number of possible combinations, especially if the passphrase is modified in some unpredictable way to prevent a pure dictionary attack.

Some simple tips for 'distorting' a passphrase are described below. If they are applied with a little ingenuity, they will work well even if the user starts with a 'normal' passphrase in plain English (instead of random words, as given by !RNDpass) and distorts it in such a way that it becomes quite unpredictable.

A few special methods of doing this can be automated in !RNDpass, as an option. 'Random' (computer-generated) distortions of a passphrase consisting of normal words are undoubtedly more secure than distortions added by hand in an intuitive manner, but it may take more effort to remember them.

Passwords for websites

Yes, I'm speaking about 'passwords' here, not 'passphrases'. Many websites which require the user to register for some service ask for a 'password', and in some cases they impose a rather strict limit on its length. In such cases, passwords constructed on the basis of the ideas discussed so far would be rather weak, and a different approach is required.

An effective solution in this case is to construct a password consisting of completely random characters. One way to do this would be to use the RISC OS program !PassWd by Paul Vigay.

In its default configuration, !PassWd enables the user to create random 8-character passwords consisting of alphabetic characters, which may appear in either upper or lower case, as well as the numerals 0 to 9. A typical password of this type is 'w4JBM6mb'.

However, the program allows the user to configure many different options, such as the length of the password, whether other special characters like '$' or '!' are allowed, whether both upper and lower case letters are to be used, and so on. In this way, the user can generate strong passwords with the maximum security allowed by a particular website.

Now let's return to passphrases consisting of many 'words', which are more appropriate for most encryption programs.

Distorting a 'simple' passphrase to make it stronger

• First of all, you may start with either a set of random words like those generated by !RNDpass (more secure, but harder to remember) or a meaningful sequence of words (less secure, but easier to remember). If you choose the latter approach, do not use any famous quotations, proverbs or sayings. All these exist in dictionaries, including some in electronic form, which can be used for cracking purposes. One possibility would be to select a phrase from a book at random, preferably avoiding any complete sentence. Try to avoid phrases with a conventional, predictable grammatical structure. If necessary, replace some words with silly, unexpected words.

• When 'distorting' a simple passphrase, it is best to avoid the use of only dictionary words, in order to foil any possible dictionary attack.

• Most encryption programs allow you to use non-alphabetic characters, such as numbers or any other symbols on your keyboard. These can be inserted in unexpected places. For example, you can change the word 'computer' to 'c0mputer', '98%computer', or 'comput#'. The use of additional characters can increase the number of possible passphrases enormously, without making them much harder to remember. It is best to put them in unexpected places. An attacker may guess, for example, that you replaced 'o' by '0', which is a common trick.

• Passphrases in many encryption programs, including PGP and GnuPG, are case-sensitive. This means that it is a good idea to mix upper and lower case. For example, 'computer', comPUTer and COMPUTER would all be treated as distinct.

• If you know any words from foreign languages, you can include some in your passphrase.

• You can invent your own nonsense words, like the famous word 'jabberwocky' coined by Lewis Carroll.

• You can create completely meaningless 'words' consisting of apparently 'random' characters, but which are easy to remember. For example, 'ilro' might stand for 'I love RISC OS'.

• Bear in mind that you can use any printable ASCII characters, not just the ones that appear on the keyboard. For example, the copyright symbol © can be obtained in RISC OS computers by holding down the ALT key, typing 169 on the numeric keypad, and then releasing the ALT key. Details of how to get all such characters can be found in your computer's User Guide.

• You can disguise dictionary words by using strange and unexpected spellings. For example, the word 'computer' can be changed to 'komputta'.

• Dictionary words can also be hidden by using extra spaces, or omitting spaces, as in 'com puter' or 'Acorncomputer'.

• The techniques suggested above become even more effective when used in combination. An example might be the 'word' 'MY2c0mputas@home'.

How to remember your passphrases?

Most security experts agree that it is not a good idea to use the same passphrase for every purpose. If any one of them is somehow compromised, it could enable someone to get into all your secure accounts or programs. It can be risky to put all your eggs in one basket!

This raises the question of how to remember all your passwords or passphrases. You may have dozens or even hundreds of them, especially if you have accounts on many websites.

One solution is to keep all your passphrases in a single file, which is itself kept encrypted with a single strong master passphrase. A number of good encryption programs are available from this website, and any of these can be used to encrypt your list of passphrases.

A final word of advice: Whatever you do, don't ever write down your passphrases or store them in any plain text file. If you do, it's asking for trouble. Your passphrases should exist only in your head, or only in encrypted form!

Back Back to main PGP page for general information about PGP.

Back Back to page for RISC OS security software.