Editing Passphrase (section)

==Security==
Source:<ref>{{Cite journal |last=Nosenko |first=Alex |last2=Cheng |first2=Yuan |last3=Chen |first3=Haiquan |date=2022-08-27 |title=Password and Passphrase Guessing with Recurrent Neural Networks |url=http://dx.doi.org/10.1007/s10796-022-10325-x |journal=Information Systems Frontiers |doi=10.1007/s10796-022-10325-x |issn=1387-3326|url-access=subscription }}</ref>

Considering that the [[information entropy|entropy]] of written English is less than 1.1 bits per character,<ref name=entropy>{{cite web | url = http://cs.fit.edu/~mmahoney/dissertation/entropy1.html | title = Refining the Estimated Entropy of English by Shannon Game Simulation | publisher = Florida Institute of Technology | author= Matt Mahoney | access-date = March 27, 2008 | archive-url=https://web.archive.org/web/20240620063221/https://cs.fit.edu/~mmahoney/dissertation/entropy1.html | archive-date=2024-06-20 }}</ref> passphrases can be relatively weak. [[NIST]] has estimated that the 23-character passphrase "IamtheCapitanofthePina4" contains a 45-bit strength. The equation employed here is:<ref name=NIST>{{cite web | url = http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf | title = Electronic Authentication Guideline | publisher = NIST | access-date = September 26, 2016}}</ref>

: 4 bits (1st character) + 14 bits (characters 2&ndash;8) + 18 bits (characters 9&ndash;20) + 3 bits (characters 21&ndash;23) + 6 bits (bonus for upper case, lower case, and alphanumeric) = 45 bits

(This calculation does not take into account that this is a well-known quote from the operetta [[H.M.S. Pinafore]]. An [[MD5]] hash of this passphrase can be cracked in 4 seconds using crackstation.net, indicating that the phrase is found in password cracking databases.)

Using this guideline, to achieve the 80-bit strength recommended for high security (non-military) by [[National Institute of Standards and Technology|NIST]], a passphrase would need to be 58 characters long, assuming a composition that includes uppercase and alphanumeric.

There is room for debate regarding the applicability of this equation, depending on the number of bits of entropy assigned. For example, the characters in five-letter words each contain 2.3 bits of entropy, which would mean only a 35-character passphrase is necessary to achieve 80 bit strength.<ref name=entropy2>{{cite web | url = http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx | title = The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3 | publisher = Microsoft Corporation | author= Jesper M. Johansson | access-date = March 27, 2008 | archive-url=https://web.archive.org/web/20080408164744/https://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx | archive-date=2008-04-08 }}</ref>

If the words or components of a passphrase may be found in a language dictionary—especially one available as electronic input to a software program—the passphrase is rendered more vulnerable to [[dictionary attack]]. This is a particular issue if the entire phrase can be found in a book of quotations or phrase compilations. However, the required effort (in time and cost) can be made impracticably high if there are enough words in the passphrase and if they are [[random]]ly chosen and ordered in the passphrase. The number of combinations which would have to be tested under sufficient conditions make a dictionary attack so difficult as to be infeasible. These are difficult conditions to meet, and selecting at least one word that cannot be found in ''any'' dictionary significantly increases passphrase strength.

If passphrases are chosen by humans, they are usually biased by the frequency of particular words in natural language. In the case of four word phrases, actual entropy rarely exceeds 30 bits. On the other hand, user-selected pass''words'' tend to be much weaker than that, and encouraging users to use even 2-word passphrases may be able to raise entropy from below 10 bits to over 20 bits.<ref>Joseph Bonneau, Ekaterina Shutova, [https://www.cl.cam.ac.uk/~jcb82/doc/BS12-USEC-passphrase_linguistics.pdf Linguistic properties of multi-word passphrases], University of Cambridge</ref>

For example, the widely used cryptography standard [[OpenPGP]] requires that a user make up a passphrase that must be entered whenever decrypting or signing messages. Internet services like [[Hushmail]] provide free encrypted e-mail or file sharing services, but the security present depends almost entirely on the quality of the chosen passphrase.