Complexity Does Not Mean Security

Recently I have caught myself thinking that my secret book with passwords contains over 100 entries. Trying to remember all of them is not an option. Most of them are extremely complex and look like some alien language, containing numbers, lower and upper case letters, symbols, etc. This book has become a real troublemaker for me. What will happen if I lose it? That would be a nightmare.

Bank and social media accounts, company computer networks, email, and many more things require high security standards nowadays. New online password attacks are being constantly developed. Thus, hackers are able to crack an innumerable amount of passwords in online services. Everyone on the Internet nowadays should be secured from hackers' attacks. At the same time, security should not be a burden for the user. This is why passphrases are getting more and more popular than passwords. It is difficult for people to remember all the bizarre passwords, which is a significant problem in terms of convenient usage of online services. This is where passphrases enter. They are easy to remember and usually meet all the security requirements. However, the topic is still controversial, and there are many opinions about this idea on the Internet.

Passphrases are much more easy to remember than passwords. However, do people really need to remember them? Every user of the Internet has at least once encountered a problem, where he or she needed to use automatically generated passwords like "DJF@4y<~E+8kj`s2' or even more complex. Passphrases omit this problem. For example, the phrase "Whales_Swimming_In_The_Ocean_Are_1337' is easy to remember, since it makes sense, while passwords like "El3ctr0Bunn9!', which come from complex password requirements, are extremely difficult to remember.

Despite the fact that complex passwords and passphrases share similar requirements, the way these requirements are fulfilled in passwords and passphrases is not the same. The thing is, passwords are usually 8−20 symbols in length and have to contain uppercase and lowercase letters, special characters, and digits at the same time, which, in its turn, is quite difficult to create, as well as remember. While passphrases are often longer than 15 symbols, contain lowercase and uppercase letters, which will be definitely put in the passphrase, since one is creating an entire sentence. Passphrases can easily contain digits, for example, year or number of something, and special characters, like commas or dashes.

Example password requirements from NexusMods, requiring more than 12 characters, including uppercase and lowercase letters and numbers.

Screenshot from www.nexusmods.com

Passphrases are really worth the time which is needed to create them. Bonneau (2012) puts a fact that mnemonic-phrase passwords are considerably more difficult to guess while still easily memorable. Coming up with a password that meets all the requirements is significantly faster than creating a passphrase, but a passphrase is much more secure and easy to remember. Passphrases are protected from mutation and brute force attacks, which become more effective every year.

Therefore, passwords are much more complex than passphrases, but it can be really inconvenient to use them, while passphrases can be secure as well as easy to remember. However, people can compromise their accounts if they use a famous quote as a passphrase. At the end, it is up to a user, whether the service account is easy to crack or not. As for me personally, I opt for passphrases. I’d better learn a couple of Pushkin’s poems by heart, which would also broaden my mind along with protecting my profile.

Written by Nikita (@SkiFast1) Chelnokov