Good Passphrase Hygiene

    Choosing Your Passphrase

    Don't use a password use a passphrase.

    For a 128 bit cipher if your passphrase is completely random you will need a minimum of 20 characters

    When choosing your passphrase, use random characters, combining upper and lowercase letters, numbers, punctuation and special characters (~!@#$ etc.).

    Consider using the first letter of every word from a favorite song or poem, interspersed with random keyboard characters.

    To foil those attempting a dictionary attack, don't limit your choice of words in your passphrase to English words.

    Wordlists used to crack passwords are often very sophisticated while the average spellcheck word list is about 100k a typical hackers' word list is in the neighborhood of 130 Meg so you can imagine what the forces of darkness have.

    Wordlists contain "words" that include all the dates possible, all names imaginable, substitution words eg. |< @+3 (kate ) all printed words ie if it was ever printed in any book magazine anywhere, all the above with numbers after them eg. |< @+31 (kate1 ) all forwards and backwards and more. Be unpredictable!

    Don't use names!

    Don't use dates or numbers that are traceable to you (addresses, license plates, birth dates, phone numbers, your Social Security Number, etc) as part of your phrase.

    Don't use the name of your computer or any combination of words that are visible from your computer station as part of your passphrase.

    Don't use filenames or parts of filenames as a passphrase.

    Don't use patterns of keyboard letters as part of your passphrase (such as QWERTY).

    Don't use any of the above ideas backwards.

    Using Your Passphrase

    Don't forget your passphrase. Don't forget your passphrase. Don't forget your passphrase. If you are using a good cipher there should be no way to recover it. If there is use a different cipher.

    Don't share your passphrase with ANYONE under any circumstance.

    Don't store your passphrase on your computer. No post-it notes on your monitor.

    Don't let anyone watch you type your passphrase.

    Don't use your passphrase on someone else's computer.

    Don't use your passphrase across or connected to a network

    Compartmentalize your crypto system. One passphrase for email another for files etc...

    Don't use the same passphrase for high security and low security applications. Otherwise a compromise of the low security application could result in the compromise of the high security application. NEVER use the same passwords for logins (to computers, the internet etc.) or programs that aren't specifically for protecting data (password protect on MS Word, PKZip, Filemaker Pro etc.) These types of programs are easily broken by trivial means leading to a compromise of your passphrase and your sensitive data.

    Don't walk away from your computer with passphrase-enabled software still running.

    Don't write down your passphrase. Commit an hour or two to just memorizing it. Type it a few hundred times if necessary. It may be the best investment of time that you ever made.

    Never store your passphrase or key in plaintext form - encrypt it and store it on a disk. Lock up the disk in a place far away from your computer preferably in a different building so that if the forces of darkness come and take all your things you can still recover your files from backup (you do have have offsite encrypted backup Right?!)

    Download this file as text





    security.tao.ca index.



maintained by securitysite at tao dot ca
Comments and additions always welcome, our feedack form.