If someone learns or guesses your password, they can access your accounts, allowing them to transfer your money, read your emails or steal your identity. That is why strong passwords are essential to protecting yourself. However, passwords have typically been confusing, hard to remember and difficult to type.
In part three of our series on cyber security, we’ll explain how to create strong passwords, called passphrases, that are easy to remember and simple to type.
Quiz
Which password example is more secure?
a. qwerty
b. C@n’tTouchThis54321
c. P@$$w0rd1
d. canttouchthis54321
The correct answer is B. That’s because it’s the longest, uses multiple special characters and numbers and is not a common password, like answers A and C.
Passphrases
The challenge we all face is that cyber attackers have developed sophisticated and effective methods to brute force (automated guessing) passwords. Because complex passwords are typically difficult to remember, we recommend you use passphrases – a series of random words or a sentence.
Examples include:
- Time for tea at 1:23
- Take me out to the ball game #47
Securing your passphrase
- Use a different passphrase for every account, so in the event your Facebook is hacked, your bank account is still safe. If having multiple passphrases is difficult to remember, consider a password manager, like LastPass or
1Password.
- Never share a passphrase with anyone else, otherwise it is no longer secure
- Do not use passphrases on public computers such as those in hotels. They may be infected and capture all your keystrokes.
- When answering personal questions used for password resets, be certain you can’t find the information on social media accounts like Facebook.
- Use two-factor authentication where possible. This often requires a passcode sent to your smartphone before you can login.
- Use longer pins for mobile devices and enable biometrics, such as fingerprint login, when possible.
- If you are no longer using an account, be sure to close, delete, or disable it.
Note: Passphrases used in these examples are no longer secure because passwords should not be shared with anyone. Please do not use them directly but model new passwords after them instead.
Thank you IT. I think we can use any help we can get with these issues. I had not heard some of this before.
Passphrases are more secure when used correctly. However, almost all of your examples are insecure, and most could be cracked in a matter of minutes. I say this as a professional software developer who has written and used password crackers in the course of my work.
It's true that password cracking software is designed to permute all possible combinations of passwords ("brute force"), so yes, a perfectly nonsensical password such as J8uZx@p could be cracked solely due to its short length. But the software would rarely need to bother brute forcing the password because almost all human-generated passwords can be cracked by iterating through large dictionaries of words and phrases and applying simple transformations.
Trust me, phrases like "Take me out to the ball game," "Time for tea," and "Can't Touch This" exist right now in precompiled dictionaries. When you can test hundreds of millions of passwords per second offline, hackers can and do easily test for C@n'tTouchThis00001 through C@n'tTouchThis99999.
And please, let's dispel the myth that P@$$w0rd1 is more secure than Password1 — they are both terribly insecure! In fact, you're making it easier for the cracker by using the number or symbol requirement by replacing a letter with a look-alike, because now the hacker doesn't need to figure out where you have inserted a random symbol or number.
Unfortunately, choosing a secure but memorable password or passphrase is very difficult today. My advice: use a password manager such as LastPass, 1Password, or KeePassX and have it generate random gibberish with a minimum length of 15 characters for passwords. Then use the software to copy+paste as needed and never bother memorizing passwords other than the master password for the password manager software.
There will be times where you have to type in a password/passphrase. For a passphrase, choose a minimum of 3 random words such that if you Googled for the exact phrase in double quotes there would be zero hits. Example: "Time for tea" –> 1,830,000 hits; "touch tea ballgame" –> no results found. Assuming a small 100,000-word dictionary, a 3-word passphrase results in about the same complexity (10^15) as a _random_ 10 lowercase letter password (26^10). That's probably a little too close to crackable for comfort, so you'd definitely want to use a 4+ word phrase for important sites, or at least replace a letter or two in the words with a _random_ character.
It would be helpful if organizations did not impose expiration dates on passwords or require uppercase letters, digits, and symbols for longer passwords (11+ chars). Multiple studies have shown that expiration requirements cause users to choose weaker passwords, and special character requirements are almost always defeated by the user as discussed previously or by adding other easily guessed material such as a birthdate. It would be better if a user can choose a single strong password and memorize it once. (See: https://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html).
Michael Gleason, Ph.D.
And I forgot to mention — don't actually Google a prospective passphrase. Just choose one good enough that _if_ you did (again, DO NOT!) there would be zero hits.
Thank you for this idea. Dana Samson, MSN, RN