Progression of Authentication: Comparing Passwords, Passphrases, and Passkeys

Join Rudy Ramos for a weekly look at all things interesting, new, and noteworthy for design engineers.

In the 1932 Marx Brothers' film “Horse Feathers,” Wagstaff (Groucho), the new college president, visits a speakeasy. Baravelli (Chico) accidentally reveals that the entry password is “Swordfish.” However, after Wagstaff enters and Baravelli exits, Wagstaff alters the password, promptly forgetting it. This mishap results in both being locked out. This early comedy exemplifies, though exaggerated, the flaws in human nature and behavior when it comes to passwords.

Weak passwords have been a consistent issue for data security. According to various studies and reports over the years, weak passwords or reused passwords are often the primary culprits in many data breaches. This week, we take a look at the differences between passwords, passphrases, and passkeys, and how the power of “length” is the key factor for security regardless of whether you use passwords or passphrases.

The Weakest Link

The weakest link in securing digital assets is often said to be the “human element.” Despite advanced technology and sophisticated security protocols, human behaviors, mistakes, and oversights can introduce vulnerabilities that malicious actors can exploit. Among the list of vulnerabilities posed by the human element, poor password practices are near the top. Many people still use weak passwords or reuse passwords across multiple sites and services, making it easier for attackers to gain unauthorized access.

For instance, in 2023, 64% of passwords only contain eight to 11 characters. Nearly 40% of users admit to sharing their personal passwords with others, and 61% of those affected by password hacking had passwords that were shorter than eight characters.

Also, according to the Q2 2023 Cyber-threat Report (April 1 - June 30) by ReliaQuest, a significant spike in ransomware activity was noted, marking it as the quarter with the highest number of victims listed on ransomware data-leak sites. The ransomware group ALPHV, affiliated with “DarkSide” and “BlackMatter,” practices triple extortion: ransomware, data theft, and DDoS attacks. ALPHV employs the AES and ChaCha20 encryption algorithms, targeting operating systems like Windows, ESXi, Debian, and more. They infiltrate systems through vulnerabilities, compromised passwords, or initial access brokers (IABs), using tools such as WebBrowserPassView, Cobalt Strike, and Mimikatz for password acquisition, initial access, and privilege escalation.

Lastly, the average global cost of a data breach in 2023 was a record high $4.45 million. Furthermore, a 2019 study by the Ponemon Institute highlighted that companies in the United States, United Kingdom, Germany, and France spend, on average, around $5.2 million annually responding to password-related issues, revealing the economic impact of weak password practices.

User Authentication

User authentication is critical for online security, and despite education and awareness movements, users still practice poor password etiquette and sometimes fall victim to phishing emails, leading to unauthorized access, malware infections, and data breaches. Also, physical security oversights like losing devices—e.g., laptops or USB drives—or leaving them unattended can lead to data breaches. Without proper cybersecurity training, employees might not recognize potential security threats or understand the best practices to mitigate them.

To address all these human elements, continuous education, training, and cyber security awareness campaigns are nonetheless essential. Tools such as multi-factor authentication (MFA) can also mitigate risks associated with human error. Still, cultivating a security-conscious corporate and personal culture is one of the most effective strategies to protect digital assets.

Authentication Best Practice

Moving towards a security-conscious culture requires rethinking our approaches to authentication. Authentication of login credentials aims to verify an individual's identity, ensuring system access is granted only to legitimate users. Understanding the best practices for the three primary user authentication methods—passwords, passphrases, and passkeys—is crucial to prevent unauthorized system access and thwart potential attackers.

Passwords are user-created character strings, while passphrases are longer, word-based sequences for enhanced security. Passkeys employ public-key cryptography, stored on devices, and use biometrics or security keys as the second authentication factor instead of codes.

The key factor for security, whether using passwords or passphrases, is length. Increasing a password’s length raises the difficulty of brute forcing exponentially. Passphrases have equivalent or better strength than passwords of the same length. Very long, 20+ character passwords or 5+ word passphrases offer protection that may take longer than a human lifetime to crack through brute force alone

The table below shows the estimated brute force crack times for passwords vs. passphrases of different lengths with numbers, upper and lowercase letters, and symbols. Note that estimated times are approximate since crack speed depends heavily on the hacking hardware and techniques. (Source: Author)

Password/Passphrase Length	Estimated Crack Time
8-character password	Seconds to minutes
12-character password	Hours to days
16-character password	Years
20-character password	Centuries
4-word passphrase	Centuries
5-word passphrase	Millennia
6-word passphrase	Millions of years
7-word passphrase	Billions of years

Key Features of Passwords, Passphrases, and Passkeys

Passwords

• Authentication: Passwords are one of the most common methods for user authentication. They help systems verify the identity of users.
• Complexity: A strong password typically consists of a mix of uppercase letters, lowercase letters, numbers, and symbols, which make it difficult for unauthorized users to guess or break using various hacking methods.
• Encryption: In secure systems, passwords are often stored in an encrypted form. When users enter their password, the system encrypts the input and compares it to the stored encrypted version.
• Use Cases: Passwords are used in various digital contexts, including logging into computers, email accounts, social media platforms, online banking, and more.
• Security Weaknesses: Because of their widespread use and often weak construction, passwords are a frequent target for cyberattacks, like brute force attacks, dictionary attacks, and phishing. Also, passwords can be hard to remember.
• Best Practices: It's recommended to have unique passwords for different accounts, regularly update passwords, and avoid using easily guessable information, like birthdays or names.
• Additional Proof of Identity: Passwords are increasingly being paired with other authentication methods, like two-factor authentication (2FA), to improve security.

Passphrases

• Length: Passphrases are typically longer than passwords. This added length can make them more secure against brute force attacks.
• Memorability: Passphrases often consist of multiple words or a sentence, making them easier to remember than complex passwords. For instance, "BlueSkyRainyDay!" is easier to remember than "B$Rd#91!".
• Usage: Passphrases work well for master passwords or encryption keys.
• Entropy: Good passphrases have high entropy, meaning they are random and hard to predict. This makes them resistant to dictionary attacks, where an attacker tries every word in the dictionary.
• Use in Cryptography: Passphrases are often used as the human-memorable component in generating strong encryption keys. For instance, in PGP (Pretty Good Privacy) encryption, a passphrase encrypts the private key.
• Ease of Typing: Because they are often composed of regular words or sentences, passphrases can be quicker and less error-prone compared to passwords with a mix of characters, numbers, and symbols.
• Commonality: Not all passphrases are secure. "password1234" is technically a passphrase, but it's not a secure one. Good passphrases should avoid using common phrases or quotations and ideally include a mix of character types (uppercase, lowercase, numbers, symbols) when the system allows.

Passkeys

• Public-Key Cryptography: Passkeys often relate to cryptographic key pairs consisting of a public key and a private key. The public key can be shared with anyone, while the private key remains confidential.
• Device-Based: Passkeys can be generated and stored on a user's device, such as a smartphone or hardware security token. Passkeys eliminate password reuse across accounts.
• Two-Factor Authentication (2FA): In some implementations, passkeys are used as part of a 2FA process. In addition to something you know (like a password), it involves something you have, such as a device that generates or stores a passkey, like a YubiKey.
• Biometric Integration: Some passkey systems incorporate biometrics as an added security layer. A device might require a fingerprint or facial recognition scan before displaying or using the passkey.
• Usage in Temporary Authentication: Passkeys can sometimes be temporary or single-use codes generated for the purpose of a specific session or transaction.
• Avoid Shared Secrets: Unlike passwords, which are shared with the server for validation (though usually in hashed form), passkeys, especially in the context of public-key cryptography, avoid the need to share secrets. The server can verify the user's identity without ever knowing or storing the exact passkey. Passkeys are resilient against phishing and leaks, are easier to use, and are more secure.
   

Featured Products

This week's New Tech Tuesday introduces Microchip Technology's EV97M19A and Swissbit's iShield Key Pro. These two cutting-edge solutions are crafted for those who demand uncompromised security in engineering applications.

The Microchip Technology EV97M19A is a compact mikroBUS™ extension board for showcasing Microchip's SHA104 and SHA105 capabilities. While the SHA104 focuses on accessory-side applications like consumables, the SHA105 caters to host-side needs, enabling mutual authentication. Together, they ensure robust mutual symmetric authentication in commercial and industrial settings.

Designed for seamless integration with the CryptoAuth Trust Platform and other Microchip platforms with a MikroElektronica mikroBUS header, the EV97M19A also supports connection to XPRO header boards via the ATMBUSADAPTER-XPRO. It streamlines the authentication system development with its onboard Microchip devices.

Key features:

• SHA104 and SHA105 devices with I2C interface for accessory and host-side authentication, respectively
• Additional SHA104 device with Microchip's unique SWI-PWM interface
• Convenient parasitic power option for SHA104 and selectable jumper
• Compact mikroBUS board with pass-through header for extra mikroBUS boards
• 3V default power with an optional 5V via a 0Ω resistor
• Onboard power indicator LED

Swissbit's iShield Key Pro (USB-A/NFC) delivers secure, simple, and versatile authentication. This hardware-based solution elevates online account protection against online attacks, such as phishing, social engineering, and account takeover, aligning with Swissbit's reputation for robust data and device security. Tailored for businesses, IT infrastructures, and online service providers, it offers users superior protection for personal and professional online accounts through advanced asymmetric cryptography. Crafted in Berlin's Swissbit factory, the iShield Key Pro boasts impeccable quality and is customizable. It supports NFC for mobile devices and ensures seamless integration with any FIDO2 and U2F compatible platforms, even allowing password-less sign-ins to Windows 10. With its all-in-one design, it fortifies authentication, replaces traditional passwords, and offers options ranging from single-factor to multi-factor authentication.

Key Features:

• Works with FIDO2 and U2F-compatible websites and services
• Supports FIDO2 and U2F standards
• Public and private key cryptography
• HOTP (Event), Smartcard (PIV-compatible), OpenSC-compatible
• Durable security key with fully molded, robust, and water-resistant housing
• Tap-and-go authentication with NFC for mobile devices
• Touch authentication for USB-A interface
• OS: Windows 10/11, macOS, iOS, Linux, Chrome OS, Android
• Browsers: Firefox, MS Edge, Google, Chrome, Apple Safari

Takeaway

Passwords are a prevalent part of our lives, and while the incessant requirements to update them can seem tedious, taking authentication seriously is the first step in protecting our data. Weak passwords are a substantial cybersecurity vulnerability that comes at a significant cost. Secure user authentication is paramount in the digital age. Passwords, passphrases, and passkeys play vital roles in ensuring only authorized users access systems. Each offers advantages, but their efficacy hinges on proper use and understanding. Still, regardless of the chosen authentication method, length is a pivotal security factor. A password's length directly influences its resilience against brute force attacks. While there are numerous best practices for authentication, cybersecurity’s greatest defense is password length.  

Original Source: Mouser

About the Author

Rudy is a member of the Technical Content Marketing team at Mouser Electronics, bringing 35+ years of expertise in advanced electromechanical systems, robotics, pneumatics, vacuum systems, high voltage, semiconductor manufacturing, military hardware, and project management. As a technology subject matter expert, Rudy supports global marketing efforts through his extensive product knowledge and by creating and editing technical content for Mouser's website. Rudy has authored technical articles appearing in engineering websites and holds a BS in Technical Management and an MBA with a concentration in Project Management. Prior to Mouser, Rudy worked for National Semiconductor and Texas Instruments.