Choosing a good passphrase
**************************


Why do we speak of a 'passphrase' instead of a 'password'?
----------------------------------------------------------

When many people are asked to choose a password, they select some common
word or name. This can be cracked easily by a 'dictionary attack', i.e. a
computer program that uses a dictionary to try all possibilities. Many such
programs exist. They are sometimes used by people who have forgotten their
own password. But a password that can be recovered in this way is weak. It
can be recovered just as easily by anyone else who may gain access to your
encrypted data.

A somewhat stronger type of 'password' is one which is not a real word, and
perhaps even includes some numbers or other special symbols, if these are
allowed by the software that you are using. Although this is safe from a
classical dictionary attack, it can be cracked by a brute-force attack, i.e.
a program that simply tries all possible sets of characters until it finds
the right combination. Of course, the longer the password, the more
difficult such an attack becomes. Suppose, for example, that 50 different
characters are allowed in the password. Then if you add one extra character
to an existing password, a brute-force search for the correct password would
be expected to take 50 times as long.

Many Unix systems, for example, accept logon passwords of up to eight
characters. Logon passwords for some ISPs are similar. Unfortunately, such
passwords are rather weak and are easily attacked. You should certainly use
longer passwords if your software allows this.

Documents on PGP and some other encryption software always speak of
passphrases, rather than passwords, in order to stress that they can be of
any reasonable length, consisting of *many* words or groups of characters,
separated (optionally) by spaces.


How strong should a passphrase be?
----------------------------------

The passphrase is by far the weakest part of many cryptosystems, at least
for many users, who use a weak passphrase in practice. If an attacker wants
to read a typical user's encrypted messages, it would be far more efficient
to try to crack the passphrase than to attempt any real cryptanalysis. This
is why it is very important to choose a good passphrase.

Even for powerful organisations like government agencies with huge computing
resources, it would be most cost-effective to try to crack the passphrase.
It is often said that the simplest technique for gaining access to encrypted
data is the 'rubber-hose attack' (beating the victim, or using other methods
of torture, until the passphrase is revealed). Another such technique is to
plant an electronic bug or a hidden program in the user's computer, to
capture all the keystrokes. Alternatively, without even any physical access
to a computer or its user, a serious attacker can monitor, from a distance,
the electronic emissions from the computer and thereby record the
passphrase. This is known as a 'Tempest attack'. It's not easy to guard
against any of these possible attacks. But you probably do not need to worry
about them, unless you are a serious target of government investigations, or
if you live under an oppressive regime.

It makes sense to choose a passphrase which is equal in strength to the
cryptosystem being used, since any such system is only as strong as its
weakest link. This document explains some simple tricks which can help to
achieve that goal.


How can I choose a strong passphrase?
-------------------------------------

In general terms, the aim should be to create a passphrase that is easy to
remember and to type when needed, but very hard for anyone else to guess,
even for someone who knows you well. It should also be long enough to make
any dictionary attack or brute-force attack impractical.

One well known method is to select, by some random process, a set of words
from a dictionary. This technique is sometimes called 'diceware'. This
method is implemented by a program !RNDpass by Tony Hopstaken, available
from the same URL as !Q-Lock.

With a dictionary as large as the one included in !RNDpass, a passphrase
consisting of 7 or more random words is likely to withstand any conceivable
attack, because of the enormous number of possible combinations, especially
if the passphrase is modified in some unpredictable way to prevent a pure
dictionary attack.

Some simple tips for 'distorting' a passphrase are described below. If they
are applied with a little ingenuity, they will work well even if the user
starts with a 'normal' passphrase in plain English (instead of random words,
as given by !RNDpass) and distorts it in such a way that it becomes quite
unpredictable.

A few special methods of doing this can be automated in !RNDpass, as an
option. 'Random' (computer-generated) distortions of a passphrase consisting
of normal words are undoubtedly more secure than distortions added by hand
in an intuitive manner, but it may take more effort to remember them.


How can a 'normal' passphrase be distorted to make it stronger?
---------------------------------------------------------------

 First of all, you may start with either a set of random words like those
generated by !RNDpass (more secure, but harder to remember) or a meaningful
sequence of words (less secure, but easier to remember). If you choose the
latter approach, do not use any famous quotations, proverbs or sayings. All
these exist in dictionaries, including some in electronic form, which can be
used for cracking purposes. One possibility would be to select a phrase from
a book at random, preferably avoiding any complete sentence. Try to avoid
phrases with a conventional, predictable grammatical structure. If
necessary, replace some words with silly, unexpected words.

 When 'distorting' a 'normal' passphrase, it is best to avoid the use of
only dictionary words, in order to foil any possible dictionary attack.

 You can use non-alphabetic characters, such as numbers or any other
symbols on your keyboard. These can be inserted in unexpected places. For
example, you can change the word 'computer' to 'c0mputer', '98%computer', or
'comput#'. The use of additional characters can increase the number of
possible passphrases enormously, without making them much harder to
remember. It is best to put them in unexpected places. An attacker may
guess, for example, that you replaced 'o' by '0'.

 Passphrases in many programs, including !Q-Lock, are case-sensitive. This
means that it is a good idea to mix upper and lower case. For example,
'computer', comPUTer and COMPUTER would all be treated as distinct.

 If you know any words from foreign languages, you can include some in your
passphrase.

 You can invent your own nonsense words, like the famous word 'jabberwocky'
coined by Lewis Carroll.

 You can create completely meaningless 'words' consisting of apparently
'random' characters, but which are easy to remember. For example, 'ilro'
might stand for 'I love RISC OS'.

 Bear in mind that you can use any printable ASCII characters, not just the
ones that appear on the keyboard. For example, the copyright symbol  can be
obtained by holding down the ALT key, typing 169 on the numeric keypad, and
then releasing the ALT key. Details of how to get all such characters can be
found in your computer's User Guide.

 You can disguise dictionary words by using strange and unexpected
spellings. For example, the word 'computer' can be changed to 'komputta'.

 Dictionary words can also be hidden by using extra spaces, or omitting
spaces, as in 'com puter' or 'Acorncomputer'.

 The techniques suggested above become even more effective when used in
combination. An example might be the 'word' 'MY2c0mputas@home'.

A final word of advice: Whatever you do, don't ever write down your
passphrase or store it in any computer file. If you do, it's asking for
trouble.  Your passphrase should exist only in your head!