Problems with Passphrases

I saw great talk at RANT a week ago and it reassured me that folks are starting to adopt passphrases to defeat rainbow tables and other hash pre-computational attacks.

Basic idea behind passphrases is the use of a combination of words to form your password. Take two to six words and just type them into form a long password. Much longer than your standard 8 character standard password. The power of passphrases is that as the password grows longer the tables must grow bigger at a greater than exponential rate.

They are also much easier to remember than a numeric, upper and lower case alphabetic combination.

Example of this - "foreigner mudslide apple" is a 24 character password that would require well above the current limited rainbow tables sets of 14 character password hash table to crack. The 14 character rainbow table is roughly 186Gb in size. To add another 10 characters to that table puts in the terabyte range. Therefore, passphrases are a good thing.

But the title of this is the Problems with Passphrases, which all rests on the folks managing passwords on web and corporate sites. These folks are putting policies in place that limit password size, do not allow non-alphabetic characters, no spaces and basically only allow weaker passwords to be used.

If we are to continue to use passwords - these limitations need to change. Start to accept longer passwords and passphrases. Again it is the tech side that seems to the ones slowest to pick up the necessary changes.