Scorpion Software Blog

Since the beginning of time – at least on the Internet – the role of passwords served as an important tool to prevent unauthorized access to information the same way a key is used to prevent access into an apartment or home. Once considered the ultimate safeguard, a password was secured with the same level of protective care that a key was for a house.

However, it quickly became apparent that if someone wants to enter your home without a key, an average size rock thrown through the glass window was all that was necessary. Likewise, passwords have been found to be an effective way to keep people away that never wanted access to your online account in the first place. It never offered anything more.

Alternative Passwords

With that realization, alternative methods for creating “heavy-duty” passwords were developed. Some of the alternatives included passwords that contained multiple words or a group of three or four words clumped together that had no relational value to one another. However, security managers quickly realized the ineffectiveness of that strategy. Either the collection of non-associated words were too easy to guess, too difficult to remember, or not random enough. Many of these heavy-duty passwords used common substitutions, numerical characters, and even punctuation, often ending up in a garbled mess. Quickly, the gibberish of a complicated password proved to be difficult to penetrate into the account, especially by the one who needed to memorize it to gain access into the account they owned.

Using Passphrases

Attempting to avoid a reiterated thought, a brilliant idea was hatched of using pass-phrases instead of passwords. The end result proved to be highly effective, if the right method of selecting phrases was used. Studies were done on the most common phrasing in the English language. With over 20,000 of those most common phrases determined, the researchers were able to get past many difficult passphrases, and into accounts well over 8000 times, simply by using the 20,000 phrases as their “guesses”.
However, it must be stated that by using sentences from a book, a title out of a magazine or something self-written can be much harder to crack than many of the common passwords today, even if you do not use any special characters. After much analysis, it was determined that using a passphrase was significantly better at safeguarding accounts as compared to passwords. An effective passphrase was able to repel many brute-force attacks against the account versus the traditional mixture of alphanumeric gibberish, with or without special characters.

The Effectiveness of a Passphrase, or Not

It turns out that the stalwart barrier that is built when individuals create passphrases is not a technical one, but simply the understanding that using a short one-word password is most likely much simpler to type in the longer passphrase.
It can be said that the glimmer of hope of using paraphrases has its boundaries. When left to laziness, many users have the tendency to pick phrases that are plucked directly out of our everyday traditional lexicon to use as a passphrase. The results can often be disastrous, hearkening back to the days when a simple one-word password was all that stood between the secured account holder’s information and a hacker.

The Beauty of Disorder

Researchers understand the process of entropy. The idea was developed around the concept that natural tendencies that are formulated from order tend to transform into disorder when placed in isolated systems. Extending that to this problem, individuals looking for secured phrases to safeguard their accounts appear to be incapable of coming up with completely random words and instead rely on the natural flow of language (natural predictable order) to develop their barriers. In the end, they do little to safeguard their account.
The end result is often nothing more than weak phrasing of natural, traditional language that seems highly insufficient to guard against any online or off-line attack. What would be better is to work from disorder because the process is unpredictable to know where the next action will lead. Selecting an odd phrase to use as a passphrase to guard against an account would be significantly better than choosing a well ordered lexicon-driven phrase that is known by all.

Selecting a Paraphrase

The best way to select a passphrase requires not one of the following, but all. They include:

• Length – To be effective, the passphrase needs to be long enough that it is very challenging to guess.
• Familiarity – Never use a famous quotation from holy books, literature, pop culture, or familiar sayings.
• Guess-Ability – The ability for another individual to guess by intuition can be deadly when you are attempting to safeguard your online account. Make your passphrase difficult to guess.
• Recall – To gain access to your account, you need to remember your own passphrase. Make it easy to recall.
• Encoding – It is essential to encode your passphrase to make it more challenging to penetrate.
• Uniqueness – If you have more than one website, application, or service, never, ever, reuse a passphrase between sites.