3 passphrase best practices
(Last updated on December 6, 2018)
A strong password is long and complex. Adding upper case, numbers, and special characters make it harder to crack. However, considering user behavior, complex passwords have proven too difficult to remember. To cope with complexity requirements, users default to familiar patterns: A dictionary word as the root, capitalized first letter, number(s), and a special character at the end. This makes them easier to remember, and easier to crack.
If strength is not achieved through complexity, what is the alternative approach? Length, of course. Consider a basic password with only one lowercase letter. The attacker would have 26 possibilities to guess from A to Z. Now increase the password length to two, the attacker would have to go through 676 possibilities. If you increase the password length to three, there is going to be 17576 possibilities. As you increase the password length, you are making the password exponentially harder to crack.
A passphrase is sentence of phrase, with or without spaces, typically more than 20 character long, and easily memorable. It is a great way of increasing security, and without the cryptic series of letters, numbers, and symbols, improving usability.
But, just like passwords, passphrases can conform to predictable patterns. To help you make the most out of your passphrase, we are providing three tips for strengthening your approach:
- Be unpredictable: A strong passphrase is a random combination of words that are meaningless together. They are not inspired by words of personal significance, or popular phrases found in literature and music.
- Do not reuse: No matter how strong your password may be, its appearance in a password dictionary makes it an easy target for hackers. If any of your passphrases appear on a password list, change them immediately. With the right tools, such as Specops Password Policy, your IT department can check passwords again any list, automatically blocking the use of weak passphrases.
- Enable MFA: When in doubt, add another layer of authentication. Multi-factor authentication requires something you know (i.e. password), something you have (i.e. Mobile device), and something you are (i.e. Fingerprint). Mobile device verification can be enabled on most popular websites include Google, LinkedIn, and Facebook.
Using a passphrase means, you can avoid password pitfalls – easy to remember predictable passwords, or forgettable passwords accompanied with post-its. For more tips on strengthening your authentication approach, download the Strengthening Passwords Against Common Attacks Report.
Security questions have been around almost as long as the Internet and passwords. They are inherently weak and recently both Gartner and the National Institute for Standards and Technology (NIST) have drawn a hard line in the sand concerning them. Gartner declared that self-service password reset solutions need to support additional forms of authentication beyond security…Read More
For a few weeks now we have been running a contest for SpiceHeads, IT professionals who use Spiceworks and thereby are official curators of all things Spicy. The inspiration for the contest came after attending several local SpiceCorps meetups, and hosting our very own meetup in our Toronto office. The meetups not only bring the…Read More
If you can’t beat them, join them. The classic proverb pretty much sums up how organizations have managed the growing number of personal devices in the workplace. Thanks to Bring Your Own Device (BYOD), what could have been a tug of war, now means IT acceptance and end-user satisfaction. And while that particular movement has…Read More