Passphrase

A passphrase is a sequence of words or other text used to control access to a computer system, program or data.

Using this guideline, to achieve the 80-bit strength recommended for high security (non-military) by NIST, a passphrase would need to be 58 characters long, assuming a composition that includes uppercase and alphanumeric.

The number of combinations which would have to be tested under sufficient conditions make a dictionary attack so difficult as to be infeasible.

These are difficult conditions to meet, and selecting at least one word that cannot be found in any dictionary significantly increases passphrase strength.

[6] For example, the widely used cryptography standard OpenPGP requires that a user make up a passphrase that must be entered whenever decrypting or signing messages.

Such passwords may be adequate for various applications if frequently changed, chosen using an appropriate policy, not found in dictionaries, sufficiently random, and/or if the system prevents online guessing, etc.

In 2012, two Cambridge University researchers analyzed passphrases from the Amazon PayPhrase system and found that a significant percentage are easy to guess due to common cultural references such as movie names and sports teams, losing much of the potential of using long passwords.

A key derivation function is used, involving many thousands of iterations (salted & hashed), to slow down password cracking attacks.

The PGP Passphrase FAQ[10] suggests a procedure that attempts a better balance between theoretical security and practicality than this example.

Another supplementary approach to frustrating brute-force attacks is to derive the key from the passphrase using a deliberately slow hash function, such as PBKDF2 as described in RFC 2898.

In recent versions of Unix-like operating systems such as Linux, OpenBSD, NetBSD, Solaris and FreeBSD, up to 255-character passphrases can be used.