So, Robert Hensing started it off by saying something simple: “you should NOT be using passwords of any kind” on your Windows network. Instead, he recommends that you use passphrases. Good advice… or is it?
Dana Epps then jumped in with a response:
However, by using passPHRASES you break down the password in distinct elements, in this case in the english language we call those WORDS. So the parser breaks down the above passphrase into 14 distinct components which are guessable. (You break out punctuation as its own word here). Attackers know this. And can use that to their advantage.
He then goes on to advocate making passwords out of passphrases, so that “From the halls of Montezuma / To the shores of Tripoli..” becomes “FthoMttsoT!”, which isn’t too bad of a password, as long as you can remember to type it properly. Of course, I couldn’t resist adding my $0.02. If you take Dana’s approach, and pick something too simple or well-known (like, say, lines from The Marines’ Hymn), you are at least theoretically vulnerable to dictionary attacks that try combinations of Beatles lyrics, quotes from The Princess Bride, or whatever. One good point that Robert makes is that current tools are compute- and storage-limited, and the math favors the defender. However, cracking tools keep getting better too.
Can you do even better? Sure. Two simple words: shocking nonsense, described in the PGP passphrase FAQ. Simply pick out a shocking but nonsensical phrase, just like you might with refrigerator magnets. Something along the lines of “Vixen clowns fart noisily in church” could be a good start. Then use combination and substitution, so that you end up with “Vcl0wnsfnNc”. Voila! the benefits of an easy-to-remember phrase that isn’t vulnerable to dictionary attacks.
Paul's Down-Home Page 