Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 133

Since about 2016, more and more voices in the information security community have recommended the use of strong passphrases instead of passwords, primarily as a way to avoid all of the inherent failings of humans and human organizations to make effective use of more complex passwords. (One of the industry pundits who first advocated complex passwords actually offered a bit of an apology for doing so, as he acknowledged his change of heart on this topic.) A passphrase is a longer string of characters that ideally is both meaningful and memorable to its user and creator but is not easily inferred by others based on public knowledge about that individual. It should also not be a direct quote (with or without spaces and punctuation) from a published work. For example, if I am a well-known fan of J. R. R. Tolkien's body of fantasy works, a passphrase such as “inawholeindagroundlovedahobbit” might be too easy for someone to deduce based on my interests. (If I am anything but a fan of fantasy, by contrast, it just might be a start on a good passphrase.) Some of the best passphrases are made by combining four or five totally unrelated words together, with the occasional shift of letter case or a substitution of vowels with numbers. “Strongch33z3janerator,” for example, might start with “strong phrase generator” and be tweaked by the user into a phrase that might withstand attack for 35 quintillion years, according to www.howsecureismypassword.net (but don't use it as is because it's been published). Adding a few extra characters to a passphrase, such as tacking on a four-digit number to its end, does nothing for its overall hardness. Do be aware that many systems have length limits on the input fields for passwords (or passphrases) and advise users to stay within those lengths.

Several key benefits come from using passphrases instead of classic but complex passwords:

 Users find them easier to create and remember, without relying on publicly available knowledge about them as a person.

 Longer passphrases exponentially increase the search space that a password cracker has to operate in, requiring much larger dictionaries or rainbow tables as well as far more CPU cycles.

 Passphrases actually make it easier for users to creatively use numbers, case shifts, and special characters as part of their phrase than they can in much shorter passwords.

Security practitioners are also recommending that with proper use, passphrases do not benefit from being changed periodically.

Passphrases, of course, are prone to being written down and to being reused on more than one system that the user has access to. Using a password manager application can help with these risks.