| |
|
Phil Zimmermann's popular crypto system PGP, for example, requires you to make up a passphrase that you enter whenever you sign or decrypt messages. So does the newer Internet standard (OpenPGP) compliant version, GPG. An Internet service called HushMail provides free encrypted e-mail service, but its security depends almost entirely on the quality of the passphrase you choose. You should have your passphrase ready before creating your PGP or GPG key or opening a new Hushmail account. 'Inventing' a passphrase while entering it is a poor practice, and very likely to lead to poor passphrases and so to poor security.
Passphrases differ from passwords. A password is usually short -- six to ten characters. Such passwords may be adequate for logging onto computer systems (if frequently changed, and if permitted passwords are not found in dictionaries, and if they are sufficiently long that brute force search attacks are impractical, and if ...), but they are certainly not safe for use with quality security systems (eg, encryption systems). Passphrases are a better choice. First, they usually are (and always should be) much longer -- 20 to 30 characters or more is typical, making brute force attacks entirely impractical. Second, if well chosen, they will not be found in any 'phrase dictionary', so dictionary attacks will be impossible. Third, they can be so structured as to be more easily rememberable without being written down, reducing that risk as well. They can be, thus, considerably more 'secure'. The modern concept of passphrases was invented by Sigmund N. Porter in 1982.
Picking a good passphrase is one of the most important things you can do to preserve the privacy of your computer data and e-mail messages. A passphrase should be: