Comment Re:Oh great (Score 1) 549
Commonly used passwords are vulnerable to dictionary attacks, that doesn't change when you use passphrases.
Yes, it does, unless you do all the following:
- Pick the words for your pass phrase from a small, well-known dictionary.
- Follow the spacing expected by the attacker.
- Use only the case the attacker expects (all upper, all lower, proper caps, etc).
- Use only letters and spaces...no punctuation or special characters.
- Don't do any substitution of characters (no l33t, etc.)
- Spell every word correctly.
It's easy to create a phrase that is personal to you and won't appear in any Google search. But, even if it does, if you don't just use lowercase letters with the words run together, it will take a long time for the attacker to run through all the permutation tricks on a 40+ character phrase.
And here's a really good one...the part of your post that I quoted would make an excellent pass phrase, since it contains one word that isn't in the *nix words list. Something as simple as making a compound out of "pass phrase" is enough to cause an attacker pain if they use the wrong dictionary. And, when attackers start including every single "word" in their dictionary, it gets even closer to brute force. When you use "Tatooine" and "Mordor" in your pass phrase that doesn't in any other way reference "Star Wars" or LoTR, it's pretty secure: Tucson is hot, but it's no Mordor or Tatooine. Easy to remember, easy to type, but painful to crack.