How is a passphrase better than a password?

3 minute read

Security at the expense of usability comes at the expense of security.1

This week, Facebook CEO Mark Zuckerberg had his Twitter and Pinterest accounts hacked. The conventional wisdom is that this stems from a 2012 LinkedIn breach where approximately 6.5 million passwords were stolen2.

Although in this case, a weak password wasn't necessarily the cause of the incident, it illustrates that the current state of application security is extremely vulnerable.

There are promising advances being made by companies such as Yubikey. However, there is a really easy way to improve your own password security: Use a unique passphrase for each one of your accounts instead.

What is a passphrase?

A passphrase is a sequence of words, including punctuation or special characters as necessary. You could use this sentence as your passphrase. However, you're better off crafting your own unique passphrases that you will remember easily.

How is a passphrase better?

Password Entropy3 is a measurement of how hard it is to guess your password. If your password consists of one common word, a symbol, and a number, you're on the order of 14 bits of entropy. Let's say you're much smarter than that (which you are) and you've decided to use some common sub5titutonS, a special character, and a number... You've got yourself up to ~28 bits of entropy.

Your 28 bits of entropy will take 228 attempts to crack. That means 268,435,456 attempts, at most. Assuming 1000 tries per second, I'll crack your password in a little more than 3 days.

This is where our human brains fail us, because we're not very good exponential thinkers. What happens if we add some more words?

Simply selecting 4 common words, such as "correct horse battery staple" gets us to 44 bits of entropy, which will take approximately 557 years to crack.

A passphrase can be even longer than 4 common words: "the swallow flies from the barn at half past midnight". We would now need to brute-force a combination of 10 common words, making this passphrase on the order of 110 bits of entropy. Given 1000 tries per second it will take 9.5 trillion x 4.3 billion years to crack.

That's probably overkill.

The xkcd Passphrase Generator

Most of the geeks in the audience will recognize I've merely explained some of the math behind xkcd#9364.

I googled around for the best way to generate such a passphrase, and although there are several such generators around, my favorite is by OptionFactory. Use the xkcd correct horse battery staple password generator.

I use the OptionFactory tool to get inspiration and usually change tenses of words or make other adjustments to their recommendations in order to make the phrase more mnemonic.

Happy trails! And change your passwords.

\/\/


Notes

1 AviD's Rule of Usability

2 More on the 2012 LinkedIn Hack. If you are still using your LinkedIn password from 2012 on other sites, there is a serious chance that you could be exposed and should change your password... to a passphrase... with due haste.

3 Entropy as a measurement of password strength. If you really want to geek out you can dive much deeper into the Information Theory of Entropy

4 This excellent stack exchange post takes a deep dive into the math behind entropy, specifically related to xkcd#936

Nothing in Nepal is Up To Code

Or, how the United States are Nerfed™

Here is a shot of the roof of our hotel where we lived from March-May, 2016.

Roof of Hotel Yeti in Manang, Nepal

You'll notice on the edge of the roof there are no guard rails to protect the surplus population from a tumble down three stories. The black hoses running this way and that -- what may appear to the naked eye to be trip wires -- are in fact the convoluted hosing required for a solar shower to work properly. The large water tanks interspersed on the rooftop and solar panels are of similar purpose.

Snowy Steps on the roof of Hotel Yeti in Manang, Nepal

This snowy staircase is poised on top of a sloped metal roof with a three story drop on the one side. On the other side, (just barely visible to the right) you'll notice a one-step staircase down from the blue metal roof to the relative safety of the concrete roof. But don't let that fool you, the one step in between roofs is scheduled at a 25° angle and covered in snow. It goes without saying that a walk way such as this should not have any means to prevent a mis-step.

Of course it's worth navigating all this extravagant danger before your first cup of coffee in the morning to capture the morning light from our vantage point atop the fabulous Hotel Yeti in Manang, Nepal.

Sunrise over Hotel Yeti in Manang, Nepal

Chongkor View Point in Manang, Nepal shot from roof of Hotel Yeti

Resuming Operations May 10, 2016

FOR IMMEDIATE RELEASE
Kathmandu, Nepal

US Presidential Race "Interesting Enough" to Return from Nepal Early

After 10 weeks of travels in Nepal with little-to-no internet connection and a considerable helping of fear & loathing, Donald Trump has won the Republican race for President.
I've taken this development as a sign that it is time to come down from the mountain. We already had the best half of the Clinton administration... there is no need to go back there, again.


Manang, Nepal, Gangapurna Lake, & Annapurna IIIManang, Nepal, Gangapurna Lake, & Annapurna III


Global Search Begins

Today we embark on a global search to identify the next generation of transformative commercial products or services.

We will use the power of experimentation to create, test, and validate new products and services at a pace paralleled by the startup industry -- and we're thrilled to begin taking pre-orders this month!

This global challenge has already begun in Kathmandu and will continue to move west over the next several days. To submit your idea for a new product or service, click here.

While our challenge is more conceptual at this stage, there are no specific themes or industry segments constraining us. However, we have already developed IP in the following segments: niche real estate, co-working, retail/ecommerce, technical recruiting, boutique adventure racing, and voluntourism.


I am returning to the United States. You can expect to receive regular correspondence from me beginning May 10.

Grinch Smile

¯\_(ツ)_/¯ There is No Internet in Manang, Nepal

This is part of a five-part series from my experience in Nepal this past spring.

Update: Internet service was restored in Manang on April 15, 2016

It's been a solid week without any internet. I sent an outgoing text message or two over the weekend from my $24 Nepali burner phone, but that was before I realized that this phone does not receive international text messages.

The hotel owner just came over to me as I'm writing this, put his hand over my shoulder and read everything that I was writing.

Today is Cheese Breakfast day.

cheese breakfast in Manang, Nepal

It's extremely challenging to tell which day of the week it is. We start our regimented routine breakfast plan today, so it might as well be called Cheese Breakfast day on the calendar.

The official word is that the satellite company that was providing internet went bankrupt. It's shocking to me that it is even possible that the sole provider of internet service to a remote area could go bankrupt.

The forthcoming attempt to connect us with the rest of the world will be line-of-sight service straight up the "canyon", but it won't be here for until next month at the earliest -- Although it's hard to say because information is hard to come by. It's not like you can check the internet to see what the status of the internet getting connected. What I have learned is that the line-of-sight service will be connected to the internet via DSL 🎉

Going out of the country? Get your device unlocked!

Apparently the only way to send or receive email here is via cell service (2G). It turns out I blundered when I assumed that because I own my device outright, that it was unlocked by the carrier automatically. This is not true. Even though the carrier has no claim to your hardware, you still need to get them to give you the unlock pin code in order to use your normal device internationally. Double blunder: Apparently you can do this over the internet once you've landed in the other country.

view from hotel yeti in manang, nepal

So we just need to climb up there on that mountain, carrying all of the equipment by hand, and install the antenna. If that all happens, there's maybe a chance this blog post gets out this spring. The other option of course is to go adventuring in search of internet down in Chame, 20 miles away and 1000 meters downhill.

Our bikes came in yesterday and it's quickly looking like they are going to be functional additions to our arsenal. It's allegedly a 4.5 hour bike ride from Chame to Manang -- In comparison we made this a two day walk on our way in.

Trek Marlin 7 Bikes in Nepal After wrapping up the breakfast and coffee session, we went to work tuning in bikes, then we were off for our first ride, straight up hill. We're sleeping at 11,560 feet (or so) in Manang. On a three mile ride up, we ascended to 13,000 feet. That took about an hour and a half. We were back in time for lunch after a half hour down hill ride.

Another few meters higher and we would have reached Yak Town.... but it's good not to over do it on the first day. It's also good to ride up hill -- in case of bike failure, the walk back is more enjoyable if it's down hill. We took an appropriate amount of water and food.

"Spring Rolls" for dinner with French Fries! These delicious treats are more or less chow mein wrapped in chapati bread and deep fried. Soon after this we'll shove off with a few shots of Bourbon and meet up with another american who’s in town trekking the Annapurna circuit.

My wooden iPhone is a huge hit with the tourists. There is no internet here in Manang, and even though I'm writing this on an iPad, the people around us are trying to crack the non existent wifi password.

Scheduled Down Time

I will be unavailable via Phone, Text, Email, Slack and Twitter from February 26, 2016 - July 1, 2016.

Thank you for your patience during this scheduled maintenance period.

If you need to reach me, you may send a message via passenger pigeon or other means to the following location:

Themes for 2016 ··· Checklists ··· Articulating Unspoken Assumptions ··· Adventure Boutiquing ··· Transformative Risk Taking ··· International Galaventures ···