3 passphrase best practices
(Last updated on July 30, 2019)
A strong password is long and complex. Adding upper case, numbers, and special characters make it harder to crack. However, considering user behavior, complex passwords have proven too difficult to remember. To cope with complexity requirements, users default to familiar patterns: A dictionary word as the root, capitalized first letter, number(s), and a special character at the end. This makes them easier to remember, and easier to crack.
If strength is not achieved through complexity, what is the alternative approach? Length, of course. Consider a basic password with only one lowercase letter. The attacker would have 26 possibilities to guess from A to Z. Now increase the password length to two, the attacker would have to go through 676 possibilities. If you increase the password length to three, there is going to be 17576 possibilities. As you increase the password length, you are making the password exponentially harder to crack.
A passphrase is sentence of phrase, with or without spaces, typically more than 20 character long, and easily memorable. It is a great way of increasing security, and without the cryptic series of letters, numbers, and symbols, improving usability.
But, just like passwords, passphrases can conform to predictable patterns. To help you make the most out of your passphrase, we are providing three tips for strengthening your approach:
- Be unpredictable: A strong passphrase is a random combination of words that are meaningless together. They are not inspired by words of personal significance, or popular phrases found in literature and music.
- Do not reuse: No matter how strong your password may be, its appearance in a password dictionary makes it an easy target for hackers. If any of your passphrases appear on a password list, change them immediately. With the right tools, such as Specops Password Policy, your IT department can check passwords again any list, automatically blocking the use of weak passphrases.
- Enable MFA: When in doubt, add another layer of authentication. Multi-factor authentication requires something you know (i.e. password), something you have (i.e. Mobile device), and something you are (i.e. Fingerprint). Mobile device verification can be enabled on most popular websites include Google, LinkedIn, and Facebook.
Using a passphrase means, you can avoid password pitfalls – easy to remember predictable passwords, or forgettable passwords accompanied with post-its.