Think passphrase and not password for secrets

Using a combination of words as a passphrase can increase secret quality. The use of the word password may be the reason we all have subscribed to think of a word when creating secrets. The use of passphrase can help with creating long and complex unforgettable secrets when backed by personal memories, events or associations. Passphrase can be coupled with password managers and password recovery processes to improve secret management maturity.

Many better than one

I wonder about the word "password" and the thought the word invokes. Yes, a word and therefore we think of a "word" for secrets. Depending on how security conscious one is, the quality of the secret will vary in complexity such as length, special characters, numbers etc. Given the ever-increasing use of online accounts, there is a need to create diverse passwords and therefore, effectively and securely manage them.

As a security best practice, it is strongly recommended to not reuse the passwords across different accounts, especially where the account compromise can be impactful to you. Social account federation (e.g. a Google account) can help to reduce the need for separate new accounts and therefore, eliminate the need to create more accounts and passwords. Still, there are use cases where separate accounts and passwords are needed, think financial institutions as an example.

So, why passphrase can have a better security outcome, given secret reuse is still not addressed and reuse is common. If not reuse, there could be a password pattern that allows for derivation of existing passwords including future passwords. Other challenges are password quality in terms of length and complexity. The fundamental difference is the expectation "password" creates and how it influences user behavior. With passphrase, the user would be prompted to think of a phrase, which is a combination of words as opposed to a word. The immediate benefit is the increase in length, which helps to safeguard against brute force attacks.

The randomness in a sentence would be higher when compared to a word and what I mean by that is determining the passphrase requires knowing more than one word. The passphrase can be chosen as an unrelated combination of words and therefore, making it difficult to guess. With a password, it is not the case unless the password is made up of completely random characters that do not constitute to be a meaningful word. And this is possible with the help of password managers, which I have discussed later in the writeup.

The secret length is an important attribute as well, which provides improved protection from brute force attacks. The use of passphrase naturally has a length advantage because of sentence formation. A passphrase as simple as “MyCatsNameIsTiger” has 17 letters in 5 words and a better secret than a password “Tiger”. I agree though, the passphrase despite increased length suffers from predictability for someone using their cat’s name as the secret.

Defining a good passphrase

A good passphrase is an unrelated set of words that are not predictable if the adversary is able to gather information about you and your associations with people, pets, activities, hobbies, locations etc. Think of things that can be discovered about you on social media by anyone or worse in a breach (e.g. the street where you used to live). A few examples are “GlobalLocalNotHere”, “RedLoveWhiteWhy”, “HireCareEatSwim” etc.

Even without any character complexity or use of numbers, credential attacks (e.g. brute force, dictionary) get harder to execute (i.e. computationally expensive) because of multiple words that are unrelated and also because of increased length. Further, it makes it very hard for an adversary to guess the passphrase because of the unrelated combination of words that only make sense to you.

To create such combinations, you can use memories or stories to create an abridged version of select words from a longer sentence that is meaningful to you. At this point, you may be considering but wait, why don’t I use a password manager to generate random passwords. Yes, you should if you are not using one today however you should do a few things in addition to using password managers:

1. Use a good password manager. (More on good password manager below)

2. Increase the password length generated by password manager to 16 or higher. (Remember certain websites may restrict the length and complexity as well)

3. Protect the password manager master secret with a passphrase and not password. Consider increasing complexity through special characters and numbers.

4. Make sure that you can access the passwords stored in the password manager offline. Typically, you would want to keep a copy of the password database file for offline access. The database file should be ideally be protected with an industry standard encryption by the password manager so that your passwords cannot be accessed without the master secret (More on how to manage the master secret below)

5. Configure the use of MFA if supported to access the password manager.

What else to consider?

Does it mean a good passphrase and a good password manager take care of password worries? Yes and no. While, the approach works for people who do not find technology cumbersome or people who do not mind going to the password manager for frequently used or important secrets e.g. bank login, emails. We all know people (at least a few if not more) who prefer to remember secrets and not rely on password managers. Additionally, there are use cases (e.g. primary corporate login credentials) where you may prefer to not rely on password manager for retrieval due to frequent usage.

Further, passphrase can play an important role in password recovery process where the password reset requires answering 3 or more questions. There are 2 problems:

1. The questions are preset that users cannot change

2. The type of questions causes the users to think about responses that an adversary can discover on social media. Some of these examples are street you grew up, your first car, college you attended, place you got married etc.

The response to these questions in addition to being predictable are often going to be a word and likely without any complexity of certain length and special characters because you are not going to think these responses as passwords or secrets. In certain cases, the password recovery process may prove to be easier for an adversary if the adversary has good knowledge about the user.

An additional consideration is to leverage words from a 2nd language in place of English alone if you have the option. You may not necessarily be fluent in another language but if you have enough of a vocabulary to pick words, you can use them with English words. Introducing words from another language can increase diversity and therefore, complexity through increased pool of words.

The use of passphrase provides more benefits when compared to a password even with the use of a password manager. If used correctly, creating passphrase based on sentences that is meaningful may also allow you to remember them without creating critical dependency on your password manager for offline access if there is ever a need.

Determining goodness of a password manager

1. Check developer information of the password manager.

2. Check reviews from independent bodies (e.g. electronic frontier foundation) and third-party audit if available.

3. Make sure that the password manager is actively maintained.

4. Check for password manager support across your platform usage (laptop, tablet, phone)

Managing the master secret for password manager

1. Memorize it well so you do not have to write on a sticky note and leave it on the monitor or under the desk (bad idea!).

2. Create a meaningful passphrase based on a story that you are unlikely to forget and is personal to you (good idea!).

3. If you have a need where another individual (e.g. your spouse, family member) needs to access the password manager, help them remember with a sentence to derive it. As a last resort, write and distribute the passphrase pieces in different places but make sure that it is retrievable for the other person (or store in their password manager if they use it).

4. Whatever you end up doing, make sure that the method works by practicing it a couple of times a year where the other person is able to successfully get to the master secret.

5. You may want to consider changing your master secret to avoid concentration risk as a best practice. By concentration risk, I means that over a period of use of master secret, there is a probability of disclosure. It could be due to shoulder surfing or platform compromise (i.e. your laptop with a keylogger). The probability is hard to determine but with enough time and use, the likelihood even low, has a certain potential for disclosure. As a best practice, you can consider changing master secret when you change your laptop or if you learn of a breach that could have impacted your master secret.

Managing master secret is important because in case of emergency, you want to make sure that secrets are available for use. At the same time, you do not want make access to the master secret easy e.g. sticky note next to the monitor.

Looking ahead

As the support increases for password less options, the need to maintain secrets will change. However, I expect that the provisioning and recovery process for password less mechanisms will continue to requires some form of static secrets (e.g. offline codes) and therefore, secrets management will continue to be relevant but hopefully smaller in numbers.