It’s time for your password to grow up.
Passwords. First you were told, and then you were forced, to make yours as complicated as possible. You took your formerly simple password (catsname) and added strings of numbers (catsname123), letters (catsname1abc), and symbols (c@tsn*m#1abC). When finished, you had an incomprehensible, mutant string of characters because you thought that was how to create a good password. Except you forgot it. The password became so complex that no reasonable person could have committed it to memory. Perhaps you wrote it down and posted it to the edge of your computer screen. Maybe you keep a master document somewhere on your computer with all of your passwords. You know it’s not a secure password, but what else are you supposed to do? Even if you did manage to remember it and keep it hidden from prying eyes, did you realize that having a complicated password isn’t even that secure? Password policy has become so annoying and so ineffective that even the guy who invented them now wishes he hadn’t.Why your business needs to forget the traditional password
In a time when cyberattacks on business emails are surging, it’s more important than ever to have reliable login security. The more people at your organization, the higher the chance of being compromised. That means having a strong password is more important than just you. It’s about the protection of your entire organization. What makes a strong password? Anything under 8 characters is a weak password. It turns out that the longer a password is, the better. In fact, the term ‘password’ is old news. Let’s all welcome the passphrase, a less complex and safer way to protect your login information. It all started with a report issued by the National Institute of Standards and Technology (NIST) in June of 2017. The report notes that password complexity was created because “[humans] have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed.” It turns out, however, that most complex passwords are just as easy to hack as simple ones. That’s because complexity is not the determining factor in password security. Instead, password length and passphrases are what’s getting all the attention now. What is a passphrase? Anything longer than ten characters fits the definition of a passphrase.Passwords vs. passphrases, explained
What’s the difference between a password and a passphrase? A typical valid password is between 8-12 characters. Remember your mutant pass: c@tsn*m#1abC. A passphrase is far more extensive: my cats name is probably norman but maybe not Notice the passphrase contains spaces, and while it resembles a sentence, it isn’t really a logical sentence. In other words, it’s harder for a person or program to guess. How long is a good password? When using a phrase, as long as you can make it while still having something you can remember. Why are passphrases better than passwords? It all has to do with the math (which we won’t get into here) behind password entropy. Password entropy measures a password’s unpredictability. It’s based on many of the password features we’ve mentioned, like character set and length. The more difficult it is to crack a password, the higher the entropy score (which is expressed in “bits”). This stuff matters. Using Google as a barometer for password hacks, the data is troubling. A report they issued recently found some disturbing numbers for email hacks from the top ten providers in just one year: “In terms of unique users, our dataset includes 1,092,567,042 credential leak victims, 3,779,664 phishing victims, and 2,992 keylogger victims.” As hard as your business may be working to complicate your password, there are millions of hackers out there, with thousands of available tools, trying even harder to steal it. If you even have to ask, how strong is my password, it’s likely not very strong. How do passphrases prevent password hacks? It’s relatively simple: the longer your passphrase is, the harder it is to crack. Long phrases have a dual benefit: you generate more entropy while also making it easier for you to remember. Complexity in a long passphrase isn’t horrible, but if you think you’ve got good password security with eight characters just because it’s nearly inscrutable, think again. As an article in UX Planet simply states: “A long password is king. It’s nearly unimportant if you have 26, 52, 62 or even more different characters because security increases exponentially with the length.” This is great news because it benefits you, the one who actually has to remember the password. Of course, it also protects sensitive data, like the financial information of your business.5 tips for creating simpler, more effective passphrases
Now that you’re ready to start protecting your organization’s login information, here’s how to create a secure password by using passphrase rules:1. Passphrases are better than passwords. Remember the rule: entropy over complexity. The longer your passphrase is, the better your chances of keeping it safe. Long passphrases are exponentially safer than short, complicated passwords.
Your passphrase could be anything personal to you but not known to anyone else. If you focus on making the phrase as long as you can while still being able to recall it, consider it safer than a password.2. Make your passphrase memorable. The newly recommended changes for passwords allow you to have a passphrase that you can actually remember. While it can’t hurt to add complexity to your passphrase, there’s a risk in adding too much.
According to the NIST report: “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.” Many of us are guilty of this. You need to make sure you can actually remember your password; otherwise, it’s useless to you.3. Don’t make your passphrase easy to guess (by a person or a program). There’s a thin line between “memorable” and “easy to guess.” If your phrase is related to something about you that everybody knows, consider that unsecure information and don’t make it part of your login.
Think about this further: hackers aren’t sitting at a computer trying to crack your password one guess at a time. They’re using sophisticated password crackers that can go through every phrase in any human language. Song lyrics, movie quotes, or something personal to you probably isn’t safe. Consider using a random password generator (or, better, a complex passphrase generator) to help you avoid getting hacked.4. Create different passphrases for multiple logins. We’re not throwing all the traditional password advice out the window, here. It is still recommended that you have a different passphrase for each login you use. If you’re using a single login phrase and a hacker is able to guess it, they now have access to everything you keep secure.
You can get creative with this. Since passphrases can be anything memorable to you, find a way to have multiple phrases that are related in your mind, in a way that wouldn’t be easily guessable by someone else or a computer hacking program. Now that you’re free to focus on phrases, have some fun doing it!5. Change your passphrase… occasionally. With traditional password rules, most businesses mandate frequent password changes at least every 60 or 90 days. How often should you really change your password? If you’re using a strong passphrase, however, you may not need to change it quite that often.
The more often you change your password, the more likely you’ll be to forget it. We tend to remember what our passwords used to be more often than we remember what they currently are. That doesn’t mean your business should never change a passphrase. It’s still a sound security practice, just not one that requires the same amount of attention that it used to. Again, the move toward passphrases is designed to make things easier and safer for you.