Password Safety & Security: Passwords vs. Passphrases

May 5th 2022 is World Password Day and F5 Labs want to celebrate it! By now I think everyone in IT has seen the excellent XKCD comic on passphrases. Passphrases are easier to remember, longer, and,...
Published May 03, 2022
Version 1.0
security
warburtr0n's avatar
Icon for Employee rankEmployee
I am a principal threat researcher and current director of F5 Labs. My focus areas of research are information security management, cryptography, TLS and identity. After 20 years in IT, much of which has been working with applications and cloud infrastructure, and 7 years of which was spent as a Senior Solutions Engineer within the F5 sales organisation, I wanted a fresh challenge. Security was a growing passion, so I went back to university and earned a distinction in the MSc course of Information Security at Royal Holloway University of London. My dissertation was on the use cryptography within IoT devices and networking protocols. Today I am part of the F5 Labs threat research team and speak at industry events all over the world and regularly contribute to online and broadcast media. I am lead author of the TLS Telemetry and Phishing and Fraud Reports and owner and maintainer of the new F5 Labs tool 'cryptonice'.
View Profile
shsingh's avatar
shsingh
Icon for Employee rankEmployee
May 05, 2022

Perhaps it's a moot point... no matter how unbreakable your password, you are likely to change it is a site is breached and credentials stolen - regardless of whether the attacker was able to crack your password over the list.

So to make that something tangible, are we protecting a password against a targeted credential attack (i.e. someone specifically wants MY details), or from large scale breaches (in which case you are more likely to change regardless of password/passphrase strength).

If it is the latter, then we get into areas of "did I know a site I frequent was breached"... etc which password managers typically do a good job of keeping track of.