Why can’t people get the message about passphrases?

A training provider we use recently posted this.

The executive summary is: “Use a 9-character password with upper- and lower-case text, numbers and symbols and your password will be ‘unhackable'”. According to the author, it would take about 45,000 years to hack using a brute force tool.

Unfortunately, this is plain wrong.

Brute force hacking of passwords normally uses “rainbow tables”, which are precompiled lists of the hashed equivalent of your password (actually it’s more complicated than that). Each additional character increases the number of possible password values by a factor between 26 (for lower-case alpha only) through to around 76 (for upper- and lowercase, digits and commonly-used symbols); the length of the rainbow table is similarly (but not linearly) affected. The rainbow table for a 9 character full-range password (4×10^16 possible passwords) is between 1 and 7 petabytes in size, depending on format and completeness. This is large, but is within the capabilities of a determined hacker, and once generated it is permanently valid. With such a table, the time taken to crack your password is a function of the speed of the platform being used to search the rainbow table and compute the remaining hash chains. Minutes, not years. A six-character full-range rainbow table, by the way, is less than 20Gb – you can fit it on a memory stick.

If you want to scare yourself, read about Ophcrack. Jeff Atwood showed it cracking a 13-character mixed-case and digits password in under three minutes. In 2007.

Please would people writing on security stop encouraging people (and sites) to use and mandate complex password rules while allowing short passwords? Pretty please? All this does is increase the likelihood that the user will write the password down, entirely bypassing the whole point of passwords. A passphrase is a much better option, preferably made up of several words separated by spaces. This allows you to use a long passphrase while making it easy to remember.

If you have a three word passphrase, such as “johnny loves chocolate”, which is 22 characters long, the equivalent rainbow table – even if you only use lower case alphanumerics and spaces (3 x 10^31 possible passwords) – is perhaps a geobyte in length. A geobyte is 1,000,000,000,000 petabytes. Put another way, that’s more than 1 million times the total storage of all the disk drives on the entire planet put together. So you can’t use rainbow tables and have to fall back on brute force computation. If the original blog poster’s chosen brute force tool is doing 6 character lowercase passwords in 10 minutes, it would take it a maximum of 831 million billion years to crack “johnny loves chocolate”. The Sun will become a red giant and annihilate the Earth in about 5 billion years, to give you some sense of scale.

In this particular context, size does matter.