Passphrases can be just as vulnerable as short passwords if it contains common words, and especially if it is a common phrase.
Passphrases are yet another compromise. It isn't very hard to come up with a difficult base password and then salt it with additional information for each new entry of it.
For example, let's say my name is Dave Smith and I was born in 1980. Picking Dsmith_1980 would be an okay password in itself for most applications (maybe not your day trading account)...but you don't want to reuse it for every site. So we come up with a schema that is easy to remember and add that to the password for every location.
For example, for websites we add the website name to the end of the password and then an exclamation point. You do this enough times it becomes easy.
Amazon password becomes Dsmith_1980amazon!
eBay password becomes Dsmith_1980ebay!
Maybe for work or other locations we use a simple identifier, such as work:
Dsmith_1980work!
Dsmith_1980home!
The one issue with this is if someone gets plain text of your password, then it would be easy enough to guess passwords for other sites. This is unlikely though.
For those with passwords that need changed often, it would be sufficient to keep the same base password and only change a portion of it.
Dsmith_1980work!1
Dsmith_1980work!2
etc.
Of course, there are sometimes security restrictions that will detect similar patterns in passwords, etc. You would have to learn how to use the system and adapt your schema.
The best thing for people to do is to come up with a schema that only they know and follow it for password creation. This way you don't really need to remember two dozen passwords - you only need to remember how you created it (such as remembering "it is my street address, question mark, then first four of website name, or whatever.)
I must reiterate that passphrases are problematic because you start doing a dictionary attack using words strung together. People also think long passwords don't need complexity, so they start using very long phrases that are somewhat common. thewinterofourdiscontent would be a terrible password, even though it is quite long.
Passphrases are yet another compromise. It isn't very hard to come up with a difficult base password and then salt it with additional information for each new entry of it.
For example, let's say my name is Dave Smith and I was born in 1980. Picking Dsmith_1980 would be an okay password in itself for most applications (maybe not your day trading account)...but you don't want to reuse it for every site. So we come up with a schema that is easy to remember and add that to the password for every location.
For example, for websites we add the website name to the end of the password and then an exclamation point. You do this enough times it becomes easy.
Amazon password becomes Dsmith_1980amazon!
eBay password becomes Dsmith_1980ebay!
Maybe for work or other locations we use a simple identifier, such as work:
Dsmith_1980work!
Dsmith_1980home!
The one issue with this is if someone gets plain text of your password, then it would be easy enough to guess passwords for other sites. This is unlikely though.
For those with passwords that need changed often, it would be sufficient to keep the same base password and only change a portion of it.
Dsmith_1980work!1
Dsmith_1980work!2
etc.
Of course, there are sometimes security restrictions that will detect similar patterns in passwords, etc. You would have to learn how to use the system and adapt your schema.
The best thing for people to do is to come up with a schema that only they know and follow it for password creation. This way you don't really need to remember two dozen passwords - you only need to remember how you created it (such as remembering "it is my street address, question mark, then first four of website name, or whatever.)
I must reiterate that passphrases are problematic because you start doing a dictionary attack using words strung together. People also think long passwords don't need complexity, so they start using very long phrases that are somewhat common. thewinterofourdiscontent would be a terrible password, even though it is quite long.
Facebook
Twitter