Campus ID News
Card, mobile credential, payment and security

Can passphrases strengthen the embattled password?

CampusIDNews Staff   ||   Mar 28, 2013  ||   ,

University says yes, researchers suggest caution

Keeping a university’s computer system secure from outside hackers is only half the battle. Securing the thousands of student computers that log into campus networks on a daily basis is the other half. Protecting the university’s network is an around-the-clock challenge.

The most common way to secure computers and networks is the oft-maligned password. But can passwords be secure? “Yes, if you don’t have any users,” jokes Jacob Farmer, manager of ID Management Systems at Indiana University.

Since 2006 Indiana University has been fighting this battle with a different solution: the passphrase. This is what the school requires its students to use when connecting to the network, a transaction that happens some 100,000 times each day.

The idea of a pass phrase isn’t new. In 2004, Jesper M. Johansson, security program manager at Microsoft Corp., wrote a paper describing the benefits and drawbacks of passphrases. He wrote that passphrases “are coming into vogue for a number of reasons, one being the development of tools that can crack many passwords in minutes.”

He cautiously concluded that pass phrases were indeed more reliable than passwords but they were also saddled with some disadvantages. For example, if the pass phrase is lengthy and you’re not a good typist you could have problems entering the phrase.

“While no one can conclusively answer the question of whether passphrases are stronger than passwords, math and logic appear to show that a five- or six-word passphrase is roughly as strong as a completely random nine-character password,” Johansson wrote. “Since most people are better able to remember a six-word passphrase than a totally random nine-character password, pass phrases seem to be better than passwords.”

That’s one of the reasons Indiana University moved towards pass phrases. “Passwords weren’t strong enough and were cumbersome for users to type,” explains Andrew Korty, Indiana University’s information security officer. “A passphrase is stronger and is more like the sentences people type all the time.”

Johansson agrees. “Certainly a pass phrase of nine words is stronger than a password of nine characters but if you can’t type that many words accurately, it is much worse,” he wrote. “In addition, if the user mouths the pass phrase while typing it, little has been gained.”

Selecting strong passphrases core to IU learning

But one of the strongest arguments in support of passphrases is that they’re easier for users to remember. “If you agree that passphrases are easier to remember, use them,” Johansson says. “You will not be worse off than if you use passwords.”

Before a student logs into Indiana’s system for the first time, the school’s GetConnected Web site helps set up a university account. “The site will configure a student’s computer so it can meet our network and security standards,” says Farmer. “It provides them with a fairly comprehensive package to help them get off on the right foot from a security prospective.”

It also helps the student establish a pass phrase. Each phrase must contain between 15 and 127 characters. It must include at least four unique characters–letters, numbers, or symbols–and contain at least four words. A word must contain two or more distinct letters separated by one or more spaces or other non-letters, not including numbers or the underscore character ( _ ).

For example, “little pink houses-4unme” contains four words and is a valid pass phrase. On the other hand, the phrase “Hoagy_carmichael plays123stardust” only contains two words so would not be valid. Because a pass phrase can be quite lengthy, it becomes more difficult for a hacker to crack, explains Farmer.

Pass phrases cannot contain the student’s name or username, use the @ sign, the number sign (#) or double quotes. It cannot be a common phrase, such as “to be or not to be” or “April showers bring May flowers.”

Finally, the pass phrase should not be based on predictable patterns, such as the alphabet (abc … ) or the keyboard (qwerty). And of course, like passwords, pass phrases are case sensitive, says Farmer.

Students and staff are required to change their pass phrase every two years and it is used to access all IU accounts, including email.

Related Posts

Subscribe to our weekly newsletter


Virginia Tech access control readers from Allegion

Virginia Tech's multi-year journey eliminates brass keys from campus

  At Virginia Tech, a strategically planned, multi-year process has eliminated physical keys from the campus. Brass keys have been replaced by card access in buildings and residence halls. The only remaining keys are stored in secure key boxes for security personnel and residence hall advisors to access in case of emergencies or after hours […]
Harvard CrimsonCash logo
Jun 07, 24 / , ,

Harvard to end longstanding declining balance program starting July 1

Harvard’s CrimsonCash – a declining balance program that enables students to use their campus card to make payments on and off campus – will be sunsetted in phases beginning July 1, 2024 and finishing July 1, 2025. The announcement was made in an email sent to account holders and a posting on the university’s website. At […]
ELATEC Secure Logon product review

Secure computer labs and faculty workstations with existing campus cards and mobile IDs

Eliminating usernames and passwords has positive security and convenience implications, and ELATEC’s Secure Logon solution helps campuses achieve the goal. Using your existing campus ID or mobile credential, users tap it on a reader to access shared computers and resources. In this video, ELATEC’s campus lead Rawldon Weekes, discusses Secure Logon and overviews a variety […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself.

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.