Webroot Senior Security Analyst and community member, @RAbrams posted a followup piece to his successful and engaging post on password constraints. There were a lot of questions and comments so we felt it was time to post a followup. Looking forward to jumping into the comments with you and Randy!



In my blog, Password Constraints and Their Unintended Security Consequences, I advocate for the use of passphrases. Embedded in the comments section, one of our readers Ben makes a very astute observation:



What happens when attackers start guessing by the word instead of by the letter? Then a four-word passphrase effectively becomes a four-character password.



What Ben is describing is called a “passphrase token attack,” and it’s real. With a good passphrase, the attack is not much of a threat though. First, a definition, then I’ll explain why.



Read the rest of the post and then come back and ask your questions below!