Campus ID News
Card, mobile credential, payment and security

Can passphrases strengthen the embattled password?

CampusIDNews Staff   ||   Mar 28, 2013  ||   ,

University says yes, researchers suggest caution

Keeping a university’s computer system secure from outside hackers is only half the battle. Securing the thousands of student computers that log into campus networks on a daily basis is the other half. Protecting the university’s network is an around-the-clock challenge.

The most common way to secure computers and networks is the oft-maligned password. But can passwords be secure? “Yes, if you don’t have any users,” jokes Jacob Farmer, manager of ID Management Systems at Indiana University.

Since 2006 Indiana University has been fighting this battle with a different solution: the passphrase. This is what the school requires its students to use when connecting to the network, a transaction that happens some 100,000 times each day.

The idea of a pass phrase isn’t new. In 2004, Jesper M. Johansson, security program manager at Microsoft Corp., wrote a paper describing the benefits and drawbacks of passphrases. He wrote that passphrases “are coming into vogue for a number of reasons, one being the development of tools that can crack many passwords in minutes.”

He cautiously concluded that pass phrases were indeed more reliable than passwords but they were also saddled with some disadvantages. For example, if the pass phrase is lengthy and you’re not a good typist you could have problems entering the phrase.

“While no one can conclusively answer the question of whether passphrases are stronger than passwords, math and logic appear to show that a five- or six-word passphrase is roughly as strong as a completely random nine-character password,” Johansson wrote. “Since most people are better able to remember a six-word passphrase than a totally random nine-character password, pass phrases seem to be better than passwords.”

That’s one of the reasons Indiana University moved towards pass phrases. “Passwords weren’t strong enough and were cumbersome for users to type,” explains Andrew Korty, Indiana University’s information security officer. “A passphrase is stronger and is more like the sentences people type all the time.”

Johansson agrees. “Certainly a pass phrase of nine words is stronger than a password of nine characters but if you can’t type that many words accurately, it is much worse,” he wrote. “In addition, if the user mouths the pass phrase while typing it, little has been gained.”

Selecting strong passphrases core to IU learning

But one of the strongest arguments in support of passphrases is that they’re easier for users to remember. “If you agree that passphrases are easier to remember, use them,” Johansson says. “You will not be worse off than if you use passwords.”

Before a student logs into Indiana’s system for the first time, the school’s GetConnected Web site helps set up a university account. “The site will configure a student’s computer so it can meet our network and security standards,” says Farmer. “It provides them with a fairly comprehensive package to help them get off on the right foot from a security prospective.”

It also helps the student establish a pass phrase. Each phrase must contain between 15 and 127 characters. It must include at least four unique characters–letters, numbers, or symbols–and contain at least four words. A word must contain two or more distinct letters separated by one or more spaces or other non-letters, not including numbers or the underscore character ( _ ).

For example, “little pink houses-4unme” contains four words and is a valid pass phrase. On the other hand, the phrase “Hoagy_carmichael plays123stardust” only contains two words so would not be valid. Because a pass phrase can be quite lengthy, it becomes more difficult for a hacker to crack, explains Farmer.

Pass phrases cannot contain the student’s name or username, use the @ sign, the number sign (#) or double quotes. It cannot be a common phrase, such as “to be or not to be” or “April showers bring May flowers.”

Finally, the pass phrase should not be based on predictable patterns, such as the alphabet (abc … ) or the keyboard (qwerty). And of course, like passwords, pass phrases are case sensitive, says Farmer.

Students and staff are required to change their pass phrase every two years and it is used to access all IU accounts, including email.

Subscribe to our weekly newsletter


Feb 07, 23 / ,

Drake University maximizing off-campus program with Grubhub

Drake University’s fledgling off-campus program started in October of 2020, and it quickly became evident that mobile ordering would be a valuable addition. Grubhub joined the Drake CampusCash program just one short year later in October of 2021, and the partnership has provided Drake students with a wider variety of off-campus dining options than ever before.
Feb 03, 23 /

Brown campus mailroom adds visual queue

Brown University has added a new visual queue in its campus mailroom that displays the order in which students will be called to pick up their packages. The system is underpinned by the student ID card and a kiosk system in the mailroom.
Feb 02, 23 / ,

East Carolina adds robot delivery with Grubhub, Starship

East Carolina University has joined the growing list of institutions to deploy robot delivery, partnering with Grubhub and Starship Technologies to provide the service. All students, faculty and staff at East Carolina University are able to leverage robot delivery from main campus dining locations.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

As supply chain issues in 2021 persist, identity solutions provider @ColorID discusses ways campuses can to overcome potentially troublesome delays until the situation eases.

A dining services push at the @UBuffalo is reinforcing the utility of self-service checkout. @CBORD is improving the food service experience using the GET app, as well as Nextep kiosks and Oracle’s Micros Simphony POS.

Did you miss our recent webinar? No worries - watch it on-demand. Leaders from @NAU and the @UAlberta joined Ryan Audus, Touchnet, and Andrew Hudson, @CR80News, to discuss innovative mobile services and the future of mobile tech in higher ed. Watch now:

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.