Passphrase 101

November 4, 2015

[Update: Last week a website apparently lost 13 million passwords (all in plain text) of users. Question for all law enforcement-friendly websites (forums, online stores, etc.): How well do you protect and store your users’ passwords?]

Today we’re going to take a closer look at email account takeovers and how they’re occurring.

When we hear about the CIA chief having his home email compromised, you can assume that you too are susceptible. Certainly I’m not familiar with this particular investigation, but email account takeovers have a particular weak point that we’re going to discuss.

Your password alone probably definitely isn’t enough.

In fact, from now on, we’re not going to use the term password any more. From now on, we’re going to use “passphrase.” While passwords we’re decent 5 – 10 years ago, we need to start making our passwords much, much longer. In Kevin Mitnick’s book The Art of Deception he tells the story of a hacker who in one case used passphrases that were routinely 100 characters long.

So how do we make good passphrases?

First pick a phrase. I will use “getlost” as an example since I used to be a motor cop (something I heard once or twice). Now, let’s plug that in to and we can get an idea of how good that is or isn’t. Keep in mind a good passphrase will be a minimum of 8 characters. “Getlost” is only seven. As such, it takes a whopping 2 seconds to crack this passphrase.

N ow let’s make it a touch longer. We’re now going to test “gogetlost.”




As you can see, just like that our passphrase jumped from 2 seconds to 22 minutes (1,320 seconds). That’s a huge improvement for not a lot of work.


Because math. When we get over 8 characters, guessing passwords gets immensely more difficult.

Next, we add in some capital letters. “GoGetLOST”

And just like that we took another leap from 1,320 seconds to 691,200 seconds. Again, a huge jump in complexity.

But we can do better.

Add in numbers and we get this passphrase: “GoG3tL0ST”

Just like that we made our password so difficult it would take about a month to crack it. So, let’s take it a step further! We’re going to add in special characters now: GoG3tL0$+

And just like that we took a simple passphrase that took two seconds to rip through now takes almost a year to guess.

The Exceptions …

Now this is all fine and dandy except you’ll sabotage yourself if you do a few things:

  • Including parts in your password that are easy to guess about you including
    • Kids’ names
    • Badge numbers
    • Spouse’s badge number
    • Important years/dates
  • Accidentally divulging your password
  • Your password being stolen in a data breach

The last two points definitely are worth some extra explanation.

Phishing sites are all about creating what looks like a safe website in order for you to accidentally hand over your password. Because remember, I don’t need your credit card number or bank account details – all I need is your email password and in most cases I own the keys to the kingdom.