I was listening to Leos Saturday tech guy podcast on Twit, and he was of the opinion that pass phrases were no good because they do not include numbers and have words found in the dictionary.
I think this might be wrong for the following reasons;
1) A pass phrase with no spaces (maybe even with spaces?) is still a bunch of letters. It does not seem to me that a dictionary attack would do much good. I am making a possible bad assumption that the password cracking must be an all or nothing situation (can you crack them one position at a time like in some movies?)
2) Use of numbers is a good thing? with only 10 characters isn't this lower entropy? Same for special characters.
3) NIST has issued new recommendations:
" The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe. "
"Password length has been found to be a primary factor in characterizing password strength [Strength] [Composition]. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords. "
--------------------------------------------------------------------------------
"
SP 800-63B Section 5.1.1.2 paragraph 9 recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (e.g., appending a ! to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret. Instead, a blacklist of common passwords prevents subscribers from choosing very common values that would be particularly vulnerable, especially to an online attack.
Composition rules also inadvertently encourage people to use the same password across multiple systems since they often result in passwords that are difficult for people to memorize."
--------------------------------------------------------------------------
A-B05:
SP 800-63B Section 5.1.1.2 paragraph 9 states:
I think this might be wrong for the following reasons;
1) A pass phrase with no spaces (maybe even with spaces?) is still a bunch of letters. It does not seem to me that a dictionary attack would do much good. I am making a possible bad assumption that the password cracking must be an all or nothing situation (can you crack them one position at a time like in some movies?)
2) Use of numbers is a good thing? with only 10 characters isn't this lower entropy? Same for special characters.
3) NIST has issued new recommendations:
"Password length has been found to be a primary factor in characterizing password strength [Strength] [Composition]. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords. "
--------------------------------------------------------------------------------
NIST SP 800-63 Digital Identity Guidelines-FAQ
NIST Special Publication 800-63 Digital Identity Guidelines-FAQ
pages.nist.gov
SP 800-63B Section 5.1.1.2 paragraph 9 recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (e.g., appending a ! to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret. Instead, a blacklist of common passwords prevents subscribers from choosing very common values that would be particularly vulnerable, especially to an online attack.
Composition rules also inadvertently encourage people to use the same password across multiple systems since they often result in passwords that are difficult for people to memorize."
--------------------------------------------------------------------------
A-B05:
SP 800-63B Section 5.1.1.2 paragraph 9 states:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”