The passphrase FAQ
This document answers frequently asked questions about passphrases. A passphrase is basically a sentence or phrase that serves as a more secure password. A typical password is 6 to 8 characters, and often is a word that is present in a dictionary. That is very unsafe. A passphrase could be a complete sentence, preferably a nonsensical one. Such a sentence would be much harder to guess.
MD5 and IDEA are based on 128 bit blocks. It should be trivial to change to a 56 bit DES key or keys of other sizes. Passwords are different than passphrases due to length. The same ideas will work for analyzing your password or passphrase.
This is version 1.06a, 13 January 1997 (but still accurate - it's maths, after all.)
List of questions
About this FAQ
- Introduction from Randall T. Williams
- About the notation used in this document
- The really big numbers
- Glossary
Getting started
- How do I get random numbers?
- What is MD5?
- Should I use a pseudo-random number generator?
- What about hardware random number generators?
Practical questions
- How long should the passphrase be?
- What if I use all random letters?
- What if I use all random characters?
- What if I use another language?
- What if I use common phrases or quotes?
- What happens if I combine phrases and nonsense phrases?
- Does odd spelling, punctuation and capitalization help?
- What if I use random words?
- Can I use a small dictionary designed for passphrases?
Strength of the passphrase
Passphrase attackers
- How long does it take to attack a passphrase?
- What about an average computer owner?
- How hard is it to crack an IDEA key?
- How hard is it to crack RSA?
- Who might try to get my passphrase and how?
- How would law enforcement try to obtain my passphrase?
- Can I trust my computer?
- Can I trust multi-user systems?
- What about electronic surveillance?
- How do I securely store my passphrase(s)?
- Should I write my passphrase down?