password vs passphrase

Archived from groups: microsoft.public.win2000.security (More info?)

Option 1: passphase -> 15 or more character phrase
Option 2: password -> 12 to 14 characters (upper & lower
case, numbers and symbols)

Which is more secure? Which is hard to hack?
5 answers Last reply
More about password passphrase
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Mark Minasi had an interesting take on this at the Security Roadshow this
    spring. I'll do my best to paraphrase: (Forgive me if I miss a niggling
    detail or three - I think the full slide deck is up on www.minasi.com.)

    A 15+ character passphrase has some good things going for it. Even if an
    attacker's machine could attempt thousands of passwords every minute, it
    would take something like 600 NONILLION years to cycle through all possible
    15-letter passphrase combinations, even if the letters are all in
    lower-case. Which gives you a legitimate possibility of eliminating account
    lockout policies that 90% of the time serve no other purpose than to annoy
    your users. :-)

    It's also easier for your users to remember a long PHRASE than somehow
    expecting them to come up with an 11-letter WORD and intersperse it with % ^
    @ $ ! characters or whatever. Compare the following:

    Password: Ant!d!se$s+abli$hm3n+ar!an!$m.

    Passphrase: igreatlyenjoyrivetswithmymorningpancakes

    Which one is better? A user is going to have to THINK about typing in the
    former. Probably every single time they have do it. Which will lead to
    mis-typing and account lockouts and other annoyances. Whereas the latter is
    really easy to remember, since it's -English.-

    The drawback to a passphrase is that some down-level systems won't support
    them - they're stuck in the LM-Hash compatibility world and can't handle
    anything longer than 14 characters. So it's something that you need to test
    before you mandate it across the board.

    --
    ******************************
    Laura E. Hunter - MCSE, MCT, MVP
    Replies to newsgroup only


    "Susan" <anonymous@discussions.microsoft.com> wrote in message
    news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
    > Option 1: passphase -> 15 or more character phrase
    > Option 2: password -> 12 to 14 characters (upper & lower
    > case, numbers and symbols)
    >
    > Which is more secure? Which is hard to hack?
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Anything larger than 15 characters SHOULD be harder to hack. However if someone
    used a bad password/phrase with all dictionary words, they may successfully
    reduce the security of their password/phrase.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Susan wrote:
    > Option 1: passphase -> 15 or more character phrase
    > Option 2: password -> 12 to 14 characters (upper & lower
    > case, numbers and symbols)
    >
    > Which is more secure? Which is hard to hack?
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    "Laura E. Hunter \(MVP\)" <hunter(nospamplease)@sfs.upenn.edu> wrote in message news:<eWUhZwPZEHA.1248@TK2MSFTNGP11.phx.gbl>...
    > Mark Minasi had an interesting take on this at the Security Roadshow this
    > spring. I'll do my best to paraphrase: (Forgive me if I miss a niggling
    > detail or three - I think the full slide deck is up on www.minasi.com.)
    >
    > A 15+ character passphrase has some good things going for it. Even if an
    > attacker's machine could attempt thousands of passwords every minute, it
    > would take something like 600 NONILLION years to cycle through all possible
    > 15-letter passphrase combinations, even if the letters are all in
    > lower-case. Which gives you a legitimate possibility of eliminating account
    > lockout policies that 90% of the time serve no other purpose than to annoy
    > your users. :-)
    >
    > It's also easier for your users to remember a long PHRASE than somehow
    > expecting them to come up with an 11-letter WORD and intersperse it with % ^
    > @ $ ! characters or whatever. Compare the following:
    >
    > Password: Ant!d!se$s+abli$hm3n+ar!an!$m.
    >
    > Passphrase: igreatlyenjoyrivetswithmymorningpancakes
    >
    > Which one is better? A user is going to have to THINK about typing in the
    > former. Probably every single time they have do it. Which will lead to
    > mis-typing and account lockouts and other annoyances. Whereas the latter is
    > really easy to remember, since it's -English.-
    >
    > The drawback to a passphrase is that some down-level systems won't support
    > them - they're stuck in the LM-Hash compatibility world and can't handle
    > anything longer than 14 characters. So it's something that you need to test
    > before you mandate it across the board.
    >
    > --
    > ******************************
    > Laura E. Hunter - MCSE, MCT, MVP
    > Replies to newsgroup only
    >
    >
    > "Susan" <anonymous@discussions.microsoft.com> wrote in message
    > news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
    > > Option 1: passphase -> 15 or more character phrase
    > > Option 2: password -> 12 to 14 characters (upper & lower
    > > case, numbers and symbols)
    > >
    > > Which is more secure? Which is hard to hack?

    Oh give it up, spend a couple hundred bucks for a smart card system
    and forget about it. LOTS OF LAUGHTER>:)
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    While it is good to use complex passwords and either of those could be considered
    secure, particularly if storing of lm hashes can be disabled keep in mind that many
    attacks involve "resetting" the built in admin password to a computer that requires
    physical access to it which can be done in less than five minutes if the user has
    needed access. So use password complexity and a account lockout policy with a
    threshold of no less than ten attempts [to deter brute force attacks AND notify you
    of] along with good physical security of sensitive computers. --- Steve


    "Susan" <anonymous@discussions.microsoft.com> wrote in message
    news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
    > Option 1: passphase -> 15 or more character phrase
    > Option 2: password -> 12 to 14 characters (upper & lower
    > case, numbers and symbols)
    >
    > Which is more secure? Which is hard to hack?
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    it still depends on what password is and what pass phrase is...

    e.g. my password could be "P@assw0rd1234", would you consider this secure
    password? It has upper and lower chars and it has numbers in it...

    again you could have "pass phrase" "aaa bbb ccc ddd eee etc"

    The other down side is, they are stored as LM Hash (by default for any
    password shorter then 14 characters) and as such vulnerable to cracking
    using tools such as @Stake, etc....

    Personally, I use pass phrases... There are harder attacked by dictionaries
    and they are not stored as LM Hash (longer then 15 characters)

    Mike

    "Susan" <anonymous@discussions.microsoft.com> wrote in message
    news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
    > Option 1: passphase -> 15 or more character phrase
    > Option 2: password -> 12 to 14 characters (upper & lower
    > case, numbers and symbols)
    >
    > Which is more secure? Which is hard to hack?
Ask a new question

Read More

Security Cases Microsoft Windows