Campus ID News
Card, mobile credential, payment and security

Can passphrases strengthen the embattled password?

CampusIDNews Staff   ||   Mar 28, 2013  ||   ,

University says yes, researchers suggest caution

Keeping a university’s computer system secure from outside hackers is only half the battle. Securing the thousands of student computers that log into campus networks on a daily basis is the other half. Protecting the university’s network is an around-the-clock challenge.

The most common way to secure computers and networks is the oft-maligned password. But can passwords be secure? “Yes, if you don’t have any users,” jokes Jacob Farmer, manager of ID Management Systems at Indiana University.

Since 2006 Indiana University has been fighting this battle with a different solution: the passphrase. This is what the school requires its students to use when connecting to the network, a transaction that happens some 100,000 times each day.

The idea of a pass phrase isn’t new. In 2004, Jesper M. Johansson, security program manager at Microsoft Corp., wrote a paper describing the benefits and drawbacks of passphrases. He wrote that passphrases “are coming into vogue for a number of reasons, one being the development of tools that can crack many passwords in minutes.”

He cautiously concluded that pass phrases were indeed more reliable than passwords but they were also saddled with some disadvantages. For example, if the pass phrase is lengthy and you’re not a good typist you could have problems entering the phrase.

“While no one can conclusively answer the question of whether passphrases are stronger than passwords, math and logic appear to show that a five- or six-word passphrase is roughly as strong as a completely random nine-character password,” Johansson wrote. “Since most people are better able to remember a six-word passphrase than a totally random nine-character password, pass phrases seem to be better than passwords.”

That’s one of the reasons Indiana University moved towards pass phrases. “Passwords weren’t strong enough and were cumbersome for users to type,” explains Andrew Korty, Indiana University’s information security officer. “A passphrase is stronger and is more like the sentences people type all the time.”

Johansson agrees. “Certainly a pass phrase of nine words is stronger than a password of nine characters but if you can’t type that many words accurately, it is much worse,” he wrote. “In addition, if the user mouths the pass phrase while typing it, little has been gained.”

Selecting strong passphrases core to IU learning

But one of the strongest arguments in support of passphrases is that they’re easier for users to remember. “If you agree that passphrases are easier to remember, use them,” Johansson says. “You will not be worse off than if you use passwords.”

Before a student logs into Indiana’s system for the first time, the school’s GetConnected Web site helps set up a university account. “The site will configure a student’s computer so it can meet our network and security standards,” says Farmer. “It provides them with a fairly comprehensive package to help them get off on the right foot from a security prospective.”

It also helps the student establish a pass phrase. Each phrase must contain between 15 and 127 characters. It must include at least four unique characters–letters, numbers, or symbols–and contain at least four words. A word must contain two or more distinct letters separated by one or more spaces or other non-letters, not including numbers or the underscore character ( _ ).

For example, “little pink houses-4unme” contains four words and is a valid pass phrase. On the other hand, the phrase “Hoagy_carmichael plays123stardust” only contains two words so would not be valid. Because a pass phrase can be quite lengthy, it becomes more difficult for a hacker to crack, explains Farmer.

Pass phrases cannot contain the student’s name or username, use the @ sign, the number sign (#) or double quotes. It cannot be a common phrase, such as “to be or not to be” or “April showers bring May flowers.”

Finally, the pass phrase should not be based on predictable patterns, such as the alphabet (abc … ) or the keyboard (qwerty). And of course, like passwords, pass phrases are case sensitive, says Farmer.

Students and staff are required to change their pass phrase every two years and it is used to access all IU accounts, including email.

Subscribe to our weekly newsletter


Jun 08, 23 / ,

NACCU Blog: 9 keys to managing an on-site team remotely

Employees and positions traditionally tethered to an office are now increasingly hybrid or entirely remote. A recent entry to NACCU's Positive IDentity Blog, Director of Campus Card Services at The New School, Bankim Patel, discusses some of the important considerations for remotely managing an on-site team.

Student card data at Alberta helps piece together campus life puzzle

Jennifer McNeill, manager of the ONEcard program at the University of Alberta, explains how card system data can potentially lead to a safer, more welcoming student experience. She describes how data collected from campus card transactions can be used to improve operations like dining, residence life, fitness and other vital campus tasks.
May 26, 23 / ,

Penn State adds mobile ordering to campus app

Penn State has added a mobile ordering feature to its comprehensive campus mobile app, Penn State Go. The Penn State Eats Mobile function is available for use by students on the flagship University Park campus, as well as across the university's Commonwealth Campuses.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.