Passphrase Creation

Safer Passphrases

A passphrase is a collection of words and characters that you type in to your computer to encode or decode something. It is a key you must produce to open a lock on your computer. We use passphrases to keep out anyone who should not have access to your computer, your email or your files.

One distinguishes a “passphrase” from a “password” because it is important to make sure no one uses single words as a passphrase. Anyone trying to guess your passphrase can simply use a program that tries every word in a dictionary until it finds the correct one. There are other standard techniques used by people trying to break into systems by guessing passphrases, so it is important to choose passphrases that cannot be guessed.

Choosing a Good Passphrase

Simply, a good passphrase is one you can remember but no one else can guess. There are a few basic principles in choosing a good passphrase.

How NOT to choose a passphrase
    • Passphrases must be more than a single word in any language.
    • Passphrases should never contain names of family members, friends, pets, towns, cities or countries that are in any way associated with you, no matter how remotely.
    • Passphrases should not contain dates of anything significant to you.
    • Passphrases should not contain made-up words from movies or books that you know.
    • Do not use a well-known phrase or the first letter of each word of a well-known phrase.
How to choose a good passphrase
There are many methods but in general, your passphrase should have nothing to do with you, and be as random as possible. The passphrase should contain a mixture of uppercase and lowercase letters, as well as combining letters, numbers and symbols. Here are some methods for creating a safe passphrase:
    • Use a random generator such as Diceware (found at www.diceware.com) that allows you to create your passphrase from words associated with random throws of the dice. Another method is to randomly open the dictionary and use the first word your finger points to, making sure you use at least six random words. This method can be made even safer if you use a foreign dictionary, and separate each word with a number or a symbol such as a punctuation mark.

    • Use shapes on your computer keyboard, so that your fingers become accustomed to creating the passphrase, but you could not recite the combination. It is important to ensure the passphrase is composed of more than a single shape, and that the shape is not obvious – such as a circle around the entire keyboard.

    • You can use a sentence randomly chosen from a book that you have not read, and then translated into another language, and then inverted, with symbols inserted between the words.
Whatever you do to choose your passphrase, remember that anyone trying to guess or break your passphrase already knows all these techniques, has probably spent a lifetime studying cryptography and can track down all sorts of information about you. However, the ability to crack a random code is limited by computer power – at present, a passphrase made up of six or seven randomly combined words with randomly chosen symbols between them cannot be broken. Anything that can be connected to you, however, can be guessed.

Other tips
    • Choose a passphrase when you are alone and you have secured your environment against spying eyes.
    • If you need to write down your passphrase, only write it on a single piece of paper that is over a hard surface. Do not write it on a pad of paper.
Passphrase Policies

Where can you store your passphrase?
The safest policy is to NOT store your passphrase anywhere except in your memory. The danger, of course, is that you might forget your passphrase. If you forget your passphrase for PGP or Hushmail, you will never again be able to access your mail.

If you must store your passphrase somewhere, do so as safely as possible. Store it in a safe, buried near a specific tree, or in another highly secure place. Whatever you do, DO NOT store your passphrase on your person or near your computer.

Should you share your passphrase with anyone?
There are positive and negative consequences of sharing your passphrase. On the positive side, if anything happens to you, or if you forget your passphrase, someone else can access your protected information so it will not be lost. On the negative side, you run the risk that the person with whom you shared your passphrase might be insecure – either because he or she is lazy about safety or because he or she is working against your organization.

For every organization, this should be determined in advance depending on the needs of the group.

Passphrases should never be shared with anyone unless they are trusted, especially if you choose to share it with someone outside your organization. Some organizations hire a third party technical expert and give him or her all passphrases or a master key because they believe it is necessary for management purposes. This is a serious mistake. Never allow any untrusted outside party to have control over any of your information.

How often should you change your passphrase?
This depends on your ability to remember a new passphrase, how significant is the information being protected, how good the passphrase is, and whether or not you have shared your passphrase with anyone.

In general, every passphrase should be changed at least annually. However, if you have shared your passphrase with someone who leaves your organization or whom you suddenly do not trust, change it immediately.

Can you use the same passphrase for everything?
NO. Commercial online services (such as AOL, Yahoo! or MSN) have access to the passphrase you use on their service, as do many of the online services you might sign up to receive. Your PGP and other encryption passphrases MUST be different from these. If you want to use the same passphrase for all your insecure activities, such as signing up to the New York Times online service or getting a Hotmail account, feel free to do so, but understand that nothing you say or receive using these services may be protected.
 win.gif