Why Passphrases Should Replace Passwords in your Security Toolbox

by | Jun 23, 2020 | ZAG Standards

As sophisticated cyberattacks targeting accounts are growing daily, the days of simple passwords are gone. With technology moving at light speed, account security is the biggest hurdle that organizations need to address. There is a myriad of different threats we can name: brute force attacks, phishing, SPAM email, social engineering, as a start.

New threats appear every year, but one unique trait these attacks share is the use of a common word list for passwords to penetrate a company’s accounts. Accounts using common words for passwords can be cracked in as little as 5 seconds and then are used to attack business networks, web, and email portals. Using simple passwords can mean the difference between business as usual, and total network data loss to thieves.

Password security is no longer an option; it is an absolute necessity to protect business data and systems; using complex passwords is a part of the world we now live in. Even though it may be cumbersome to create a complex password, that pales in comparison to the time it takes to recover from an attack or worse, such as losing everything needed to stay in business.

Recent studies have shown that the safest and most secure of all passwords aren’t necessarily long random strings of characters that are hard to remember.

Many companies like Microsoft, Google, Apple, and Facebook all recommend using the following standards as a starting point:

  • The password does not contain the account name of the user.
  • The password is at least eight characters long.
  • The password contains characters from three of the following four categories:
    • Latin uppercase letters (A through Z)
    • Latin lowercase letters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphanumeric characters such as exclamation point (!), dollar sign ($), number sign (#), or percent (%).

However, recent studies have shown that the safest and most secure of all passwords aren’t necessarily long random strings of characters that are hard to remember. In fact, the latest NIST password guidelines suggest that we move away from enforcing upper/lower, alpha/numeric, and special character combinations and simply use a phrase that is easy to remember but impossible for someone else to guess. Phrases of randomly strung together words (not sentences) such as “DogStatueSunnyConcert” are proving to be far more secure.

Statistically a complex password may be mathematically superior to creating a passphrase, but creating a passphrase is about meeting the reality that people cannot memorize twenty different complex passwords. With a passphrase you achieve a more secure system while acknowledging the limits of human behavior (the need for simplicity). Why then is a statistically superior complex password less secure than a passphrase? People are less likely to write down a passphrase they can remember as opposed to a series of random numbers, special characters, and letters most likely stored on a post-it note under their keyboards.

NIST also recommends against periodic password changes. For many years, companies required changing passwords every 60 or 90 days. The truth is, the more frequently passwords are changed, the more likely we are to again write them down, causing a major security flaw.

There is no fail-safe solution to password security. Security will always be a challenge to combat new threats, and to fight these companies will need to leverage multiple technologies simultaneously (e.g. MFA, AntiVirus, SPAM Blocking). A vital component is to have an effective password policy; an industry recommended passphrase (DogStatueSunnyConcert) in conjunction with multi-factor authentication will provide more protection for company data and systems.

This is the new age of password security. Let’s protect ourselves from attacks by using passphrase passwords, leveraging new technology for account security, and never providing our username and password to anyone.

Related Content