Passphrase Token Attacks

Passphrase Token Attacks
Userlevel 7
Badge +47
  • Community and Advocacy Manager
  • 1307 replies
Webroot Senior Security Analyst and community member, @RAbrams posted a followup piece to his successful and engaging post on password constraints. There were a lot of questions and comments so we felt it was time to post a followup. Looking forward to jumping into the comments with you and Randy!

In my blog, Password Constraints and Their Unintended Security Consequences, I advocate for the use of passphrases. Embedded in the comments section, one of our readers Ben makes a very astute observation:

What happens when attackers start guessing by the word instead of by the letter? Then a four-word passphrase effectively becomes a four-character password.

What Ben is describing is called a “passphrase token attack,” and it’s real. With a good passphrase, the attack is not much of a threat though. First, a definition, then I’ll explain why.

Read the rest of the post and then come back and ask your questions below!

0 replies

Be the first to reply!


    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings