Skip to Content

Information Security Office

Network is experiencing difficulties.

Passphrases Strength

The added strength of a password comes from the length

Assuming that you construct your password entirely of lowercase alpha characters (and the space key), someone trying to crack this password would need to try on the average of 3.18 X 10^45 guesses to brute force a 32-character password. Assuming that an attacker gained access to the hash of the password, it would take a 3GHz Pentium XP machine generating 5,000,000 guesses per second over 2.0 x 10^8 millennia to crack the password.

But wait, lets go further; assuming that an adversary learns that you are using a six-word password and also that they know you are only picking words from a 5000 word vocabulary (the approximate active vocabulary of an average English speaking five-year-old). With that knowledge they could construct a more sophisticated password cracker rather than the traditional character-by-character password crackers of today. Armed with such a password cracker, they would still need to try 7.8 x 10^21 guesses on the average to brute force the password. Using our trusty XP system, that would only take 5.0 x 10^4 millennia; which is still plenty of time !!

Even though a much reduced character set is being used, the added strength comes from the length of the password. In fact, a 6-word password is roughly equivalent to an 11-character traditional password. The password is superior however, because we already know that people aren’t likely to remember an 11-character password. So in effect, you are getting the “strength” of a complex short password in a form that is easier to remember and easier to type.

Related sites on Passphrases

Read more on Passwords are Passe

Wikipedia: Passphrase

The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3

The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3

The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3