7

Well, according to Wikipedia, this is a passphrase;

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security (....).

So I could say, the following is a passphrase (example only);

PerhapsThisIsAPassphraseButMaybeNotWellsee.

If I generate a password(?) with gpg;

$ gpg --gen-random -a 0 17
  fmmyY/aEufDdmvBlwTw6tPU=

Is this considered a passphrase too? Which one is more secure nowadays? When should I use one over the other? Would the generated gpg password be more secure than the passphrase I quoted? If so, why?

For example, PGP asks for a passphrase (for the master key), which one would I choose? The first option? Or the second?

seds
  • 273
  • 1
  • 3
  • 8

4 Answers4

8

A "passphrase" is just a password; the different term is merely a way to suggest that a password does not necessarily consist in a single word as linguists know them.

A password (or passphrase) is exactly as secure as it is random. The oft-cited jargon in that case is entropy. Using many words (a "phrase") is a possible way to inject a lot of randomness, at the expense of having more characters to type when the password must be entered. Note that randomness and length are not the same thing; a longer password is not necessarily more random. See this question, in particular that answer, for some discussion on these notions.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
4

Passwords and passphrases are terms for the same thing, which is a user supplied secret key.

The modern terms themselves originate from when there were substantial limits on the key material, and needed to be short, hence the "password" would likely be a user memorized word, usually 8 characters or less, and later systems and algorithms increased the character limit. This was because system resources were limited, 16384 bytes of ROM for example was the entire storage capacity of the Apple IIe without a floppy drive. 8 characters (6-bits) could be used as a DES key, and thus was the limit of algorithms like crypt, which truncated any additional characters beyond 8.

The passphrase became a more common term as systems evolved to allow more input characters, such as those based on hash functions with variable length input, and more letters in the form of more words are generally easier to remember than a longer word.

With your examples most would consider the first a passphrase, and the second a password, since it is not a group of words, but rather a text-printable encoded random string. The second is probably more secure, despite being shorter, due to modern password cracking algorithms that can plow through groups of words efficiently.

Richie Frame
  • 565
  • 2
  • 6
  • 128 bit of security? You must think of a pretty strong pass phrase to beat that, and the passphrase displayed above it is certainly not it. I guess you should call it a secret *value* instead of a secret *key*. – Maarten Bodewes Sep 19 '15 at 02:20
2

Passwords and pass-phrases do the same job. They are both intended to be memorized by humans and provided to security software/hardware in order to gain access to some facility, system or information.

Passwords are typically built from a small subset of printable characters.

Pass-phrases are typically built from dictionary words. They are longer in terms of characters but often shorter in terms of number of selectable components used. The pool of available words (at least tens of thousands) is larger than the pool of available characters (hundreds). They have the advantage of being easier to remember than a password of equivalent strength.

Measuring the entropy is an essential part of comparing the effectiveness against brute-force attacks.

See https://xkcd.com/936/

RedGrittyBrick
  • 1,355
  • 8
  • 14
  • In practice, passphrases don't seem to help as much as XKCD would have you believe: [dl.acm.org/citation.cfm?id=2335356.2335366](http://dl.acm.org/citation.cfm?id=2335356.2335366) – WBT Nov 02 '15 at 04:21
1

Take this entity: "}[w)\#+aXkB2]Y" - is it a password, a passphrase, or something else? It is an automatically generated account "pass***", generated by an Identity Management tool of the "Cyber Vault" type.

This particular account protection mechanism simply wakes up every morning, interrogates the AD for systems that were registered in the past 24 hours, forces their local "Administrator" account name to change to something more cryptic, and forces specific complexity level on them. Do you think that such an automated process cares how a human entity defines it as password or passphrase? It does not have to.

After all, this "entity" can be so ugly (just look at it), but this look is actually so beautiful to my eyes - keep in mind that this work scenario applies to over 5,000 servers and (close to) 50,000 workstations, all of them having similar "pass***", and all of them being unique.

Jaro
  • 11
  • 4