Passphrase Token Attacks

  • 13 February 2019
  • 0 replies
Passphrase Token Attacks
Userlevel 7
Badge +48
  • Community and Advocacy Manager
  • 1565 replies
Webroot Senior Security Analyst and community member, @RAbrams posted a followup piece to his successful and engaging post on password constraints. There were a lot of questions and comments so we felt it was time to post a followup. Looking forward to jumping into the comments with you and Randy!

In my blog, Password Constraints and Their Unintended Security Consequences, I advocate for the use of passphrases. Embedded in the comments section, one of our readers Ben makes a very astute observation:

What happens when attackers start guessing by the word instead of by the letter? Then a four-word passphrase effectively becomes a four-character password.

What Ben is describing is called a “passphrase token attack,” and it’s real. With a good passphrase, the attack is not much of a threat though. First, a definition, then I’ll explain why.

Read the rest of the post and then come back and ask your questions below!

0 replies

Be the first to reply!