Passphrases - the solution to password problems
It’s not controversial to say that good, secure passwords are hard to create and even harder to remember.
And among first-world problems, there are few things more frustrating than having to create a new password because you either forgot the old one or were forced to change it.
In our misguided attempts to make passwords easier to remember we, subconsciously or not, adopt bad password habits. Password123 becomes Password456 which eventually leads to something like P@$$w0rd789 to fulfill whatever password rule we’re trying to fulfill. Sound familiar? We’ve all done it.
Security experts now recommend the use of passphrases instead of passwords. A passphrase is a string of simple, unrelated words (generally 4), exceeding 15 characters, that’s easy for you to remember, but hard for criminals to crack.
This table from hivesystems.io shows that as we increase the number of characters in a password, the harder it is for a hacker to brute force. Any password with 8 characters or less, no matter how complex, can be cracked in less than a day. Double that to 16, mix in some upper and lower case letters, and you’ve bought yourself roughly 2 BILLION years (give or take a million) before that password will be cracked. Add some numbers and symbols and you’ve upped that to a trillion years.
The other advantage to passphrases is that they can be easy to create AND remember.
A method for creating memorable passphrases that can't be cracked
Here’s one easy, fun way to create a 4-word passphrase that’s simple to remember but almost impossible to crack. Using a few different parts of speech (adjective, noun, and verb) will help to paint a memorable picture in our heads that’ll stick and help us to recall the passphrase. Don’t worry – we’ll explain as we go and there’s no test at the end.
Step 1 – pick a word with 4 letters.
This 4-letter word is just the “backbone” for creating a 4-word passphrase and make it easier to recall. We’ll call it the “key word”. For this example, we’ll use NEMO as the key word.
N
E
M
O
Step 2 – pick an adjective that starts with the 1st letter of your key word.
An adjective is a word that describes the characteristics of something – green, old, loud, shiny, are all words that could describe a car, for example. We’ll use Ninja as the 1st word of the passphrase:
Ninja
E
M
O
Step 3 – pick a noun that starts with the 2nd letter of your key word.
A noun is a person, place or thing. We’ll go with Elephant.
Ninja
Elephant
M
O
Step 4 – pick a verb that starts with the 3rd letter of your key word.
A verb is an action word – go, read, draw, look. Let’s pick Move.
Ninja
Elephant
Move
O
Step 5 – pick any word that starts with the 4th letter of your key word that completes the picture.
Here, just pick a word that helps to create a memorable image.
Ninja
Elephant
Move
Outside
Can you picture an elephant dad yelling at their elephant kid, dressed up like a ninja and causing a ruckus, to go outside? Very strange for sure, but a memorable passphrase without question.
NinjaElephantMoveOutside
The key word (NEMO) helps you remember the letters that begin each word of the passphrase.
Step 6 -extra credit
You can add or replace some characters with similar-looking numbers or characters to make it just as easy to remember, but even harder to crack:
N1nja3lephantMoveOut$ide
This gives us a 24-character passphrase with 2 numbers and a special character. According to the table, that gives us more than 7 quadrillion years before a hacker can crack it.
Here’s another example with HULK as the key word:
Heavy
Unicorn
Leaps
Kinda
Again, you can imagine a rather large unicorn trying to jump and maybe not doing it very well. Odd image, but it sticks. Add some special characters and / or numbers and you’ve got a solid passphrase:
heavyUnic0rnLe@psKinda?
23 characters with a number and 2 special characters. Easy to remember and more than 7 quadrillion years before someone will guess your password.
Additional recommendations
Cybersecurity Awareness Training – passphrases are only secure if you keep them that way. Cyberthieves are using social engineering, sophisticated phishing e-mails, and other tactics to gain access to either your computer, your credentials, or both. Regular cybersecurity awareness training and testing through simulated phishing emails is a key part of knowing what to watch out for and to reduce the likelihood of falling victim to one of their schemes.
Multi-Factor or 2-Factor Authentication (2FA) – if your e-mail credentials are compromised, a cybercriminal can open any browser and use those credentials to log into your e-mail account, control your inbox, and do a deep dive on all your saved or sent e-mails to identify customers, vendors, banking information, and contacts and exploit them to their advantage. However, if you have 2FA on your e-mail account, they’ll be unable to log in with your credentials – the credentials alone are inadequate to gain access. Check out this video to learn more about 2FA.
Password manager – what if you could outsource all your password “creating and remembering” to a trusted application? A password manager can help you do just that. With just one password or passphrase to open the application, a good password manager can create and remember unique passwords for each site you visit that has a login requirement and even log you in. With mobile apps and browser plug-ins, password managers be used anywhere you access the internet.
For more information on how to keep your business network secure, subscribe to our YouTube channel or call us at 586 286 8324!
