A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both access to, and operation of, cryptographic programs and systems. Passphrases are particularly applicable to systems that use the passphrase as an encryption key. The origin of the term is by analogy with password. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.
Considering that the entropy of written English is less than 1.1 bits per character , passphrases can be relatively weak. NIST has estimated that the 23 character pass phrase "IamtheCapitanofthePina4" contains a 45 bit-strength. The equation employed here is:
Using this guideline, to achieve the 80-bit strength recommended for high security (non-military) by NIST, a passphrase would need to be 58 characters long, assuming a composition that includes uppercase and alphanumeric.
There is room for debate regarding the applicability of this equation, depending on the number of bits of entropy assigned. For example, five-letter words each contain 2.3 bits of entropy, which would mean only a 35-character passphrase is necessary to achieve 80 bit strength.
If the words or components of a passphrase may be found in a language dictionary—especially one available as electronic input to a software program—the passphrase is rendered more vulnerable to dictionary attack. This is a particular issue if the entire phrase can be found in a book of quotations or phrase compilations. However, the required effort (in time and cost) can be made impracticably high if there are enough words in the passphrase and how randomly they are chosen and ordered in the passphrase. The number of combinations which would have to be tested under sufficient conditions make a dictionary attack so difficult as to be infeasible. These are difficult conditions to meet, and selecting at least one word that cannot be found in any dictionary significantly increases passphrase strength.
For example, the widely used cryptography standard OpenPGP requires that a user make up a passphrase that must be entered whenever encrypting, decrypting, or signing messages. Internet services like CryptoHeaven and Hushmail provide free encrypted e-mail or file sharing services, but the security present depends almost entirely on the quality of the chosen passphrase.
Full article ▸