Passwords provide a means of verifying you are who you say you are when accessing resources or information. Passwords are one of three authentication mechanisms in use today with the other two methods being something you have (such as a token or smartphone) or something you are (fingerprints or facial recognition.)
Ranking up there in levels of enjoyment with filing your tax returns or going to the dentist/doctor is managing your passwords. With all the rules surrounding password creation and complexity it is no surprise that individuals choose weak passwords or re-use passwords (a new favorite of the cyber-criminal). But, there is an easier way…
Research over the last several years shows that the traditional methodology of password creation using a random combination of upper case, lower case, numbers and special characters can create a difficult password to break, but also difficult to remember. This leads to some very predictable behaviors in people such as capitalizing the first letter, or adding a number to the end which is incremented with each password change. Current best practice for passwords encourages longer passwords and the longer the better. Our continued practice of using a jumble of letters, numbers and characters becomes even more difficult to remember as we increase the length, so what are we to do? Use a pass phrase!
What is a passphrase?
A passphrase is simply four or more random words that create a password that is over 12 characters (our new standard effective December 1, 2019) in length. It can even be a sentence as long as it somewhat random. Here is an example of a possible passphrase:
“Ethel eats fresh fish”
This passphrase is 20 characters, has upper and lower case and special characters. Using current technology, it would take 2.4 x 1024 years to crack. But what if your password gets hacked and you have to change it? Simple:
“Ethel hates fresh fish”
“Tom watches fresh fish”
“Alex likes fresh vegetables”
The permutations in using a passphrase are virtually endless and easier for most people to remember.
Some other best practices still remain:
The Don’ts
- Don’t reuse passwords for important websites
- Don’t use children or pet names
- Don’t use music lyrics or other well-known phrase
- Don’t reuse passwords that have been compromised or simple add or increase a number at the end of a password
The Do’s
- Do use a password manager for your passwords. Products such as lastpass, dashlane or 1passwords all have free versions.
- Use two-factor or multifactor authentication on any account that offers it. This is the best way to defeat your accounts being misused and is available across an increasing number of services including financial websites, social apps, even gaming sites such as Steam.
One final note. If your password is some permutation of Husky123… Please change it immediately.
source: xkcd.com/936