The Passphrase – The Problem With Passwords

Alternatives to the password have been around for years - however biometrics such as finger print or retina scanners are generally considered too costly to implement, at least at the corporate level

top image

Even two factor authentication schemes have a slow adoption rate due to the perceived complexities in implementation and end user reluctance. As a result, passwords are the gateway to most security systems today and will continue to be so for at least the next few years.

Is Your Password Safe?

Unfortunately passwords, as noted in our “How I Guessed Your Password” article, present a bit of a problem, Passwords need to be complex enough to not be easily guessable, yet memorable enough to not be forgotten by the user. Consider the following spectrum:

Easy to remember, easy to guess  ------ Hard to remember, hard to guess

On the left side we have simple dictionary words like “password”, and on the far right we have complex strings of random characters such as “[email protected]” - with your password probably somewhere in the middle.

The problem is, as computer hardware improves, so does the requirement for you to choose something further to the right of this spectrum.

You may also like: How I Guessed Your Password

Introducing the Passphrase

The passphrase is a unique alternative to the password which is usually dismissed out of hand due to the number of characters required to make it feasible, which can be anything from 20 to 30 characters long. This might seem initially daunting, but looking at the following two strings of characters, which would you say is easier to remember?

!F2afn*9

or

organicmetaliccosmic

A bruteforce attack would crack the first password in days.

But the second would take a few billion years to crack, even though it uses no uppercase, numeric or special characters whatsoever. 

There are of course pitfalls to this approach – the use of quotes or song lyrics must be avoided to thwart hackers with specially developed dictionaries. Similarly guessable word associations should be avoided. The flip side of this is that it’s simple to make a passphrase even more complex whilst still keeping it memorable.

Improving your Cyber Security

Next time you need to change your password consider implementing this approach. Pick three or more dissociated words of reasonable length to reach over twenty characters. 

Experiment!

Throw in a word from another language, an obscure name or a word you’ve been misspelling for the last ten years. Try out an online password calculator, see if you can construct an easy to remember passphrase that will take over a quadrillion years to crack (though we don’t recommend submitting your actual final password to any online calculator).

And remember it's never worth risking your cyber security. Manage risk for yourself and your business by running our CyberScore software.