Why having a passphrase is better than a password

Does your company have a policy around how passwords are created?  Do you have any real input into that “password policy” or is it just implemented by your IT provider when a new member of staff starts?  Do you (and your staff) use the same passwords in different contexts?  Do you change your passwords regularly or are you forced to do so by the server or system you are using?  If so, what do you do when you are forced into a password change?  Perhaps change one character or number?  Perhaps change the case of a letter?

And, if you’re like lots of people and you have too many passwords to remember, what do you do to retain access to them?  If someone was to take a look at your computer system is there any chance they’d find a document somewhere containing a list of passwords?  Or perhaps you or some of your people put passwords on post-its?

If any of this resonates with you then you’re not alone.  You’re actually in a majority.

But that should not be any consolation because this scourge of passwords and how they’re dealt with is a problem on a number of fronts.

Firstly, bad and/or visible passwords carry with them an obvious data-security risk.

Secondly, there is a productivity loss associated with the people in your organisation using valuable company time to implement security features such as regularly changing passwords.  Earlier this year a Dell survey of employees in 8 major economises found that an astonishing 76% of employees believe that their employers prioritise security over employee productivity.  Could they be all wrong?

But there is actually an even bigger issue.  Passwords themselves, even if “properly” chosen, and kept “hidden”, do not provide the security we once thought they did!  It transpires that your “strong” password actually is not that strong!

And who says this?  None other than the man known by many in the industry as the father of the modern-day password.

His name is Bill Burr.  Back in 2003 he was working for the National Institute of Standards and Technology (NIST) in America and made a recommendation.  The recommendation was that passwords should be a random string of letters, numbers & symbols, should mix cases, should be nothing that anyone could guess, and should be changed often.

His recommendation was adopted widely – by government departments in the US and also by millions of organisations – perhaps including your own!

But now?

Bill Burr has changed his mind.  Here are some recent quotes from him:

“Much of what I did I now regret”.

“In the end, it was probably too complicated for a lot of folks to understand, and the truth is, it was barking up the wrong tree.”

“I think I could have done a better job of figuring out some of the things that we now know, or at least of guessing them”.

“It’s probably better to do fairly long passwords that are phrases or something like that that you can remember than to try to get people to do lots of funny characters”.

It would be a mistake to think that all his advice was bad.  Rather, it had some unintended effects – like the loose working practices mentioned above.  People, even if they did not do anything conventionally thought of as “stupid”, still did things that made the life of hackers easy.

Ever use “$” instead of “s”?

Or change a password by changing “1” to “2”?

Examples like those are easy for hackers to uncover.  As Randall Munroe wrote in an August 2011 cartoon, “Through 20 years of effort, we have correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”.

So there has recently been a significant evolution.  Burr’s original NIST guidelines have been updated.

The new recommendation?  Use passphrases.  A passphrase is longer than a password but easier to remember.  An example would be “ilovefourbluedolphins”.

Why are passphrases better than passwords?

They are easier to remember.  This means that there is less need for them to be on post-its or in a document.  Correspondingly, there is a much lower risk of them being stolen (hardcopies and files).

Their use is more efficient because they do not need to be regularly changed.

Their greater length makes them much harder for hackers to crack.  However, with passphrases using actual words there remains a susceptibility to them being cracked by raw dictionary-based computational power.  Now that susceptibility is far less than with passwords.  But it can be lowered further through reducing the use of words that commonly appear together in natural language.  The afore-mentioned “ilovefourbluedophins”, though better than passwords, is actually not a great passphrase.  A lot of dolphins are blue.  The words “I” and “love” appear together a lot in natural language.  Dolphins are lovable creatures.  So, even with passphrases, care should be taken to avoid using words that fit together, “bedtimestory”, “neverleave”, etc.

Check out this article from Cloudwards.net that offers a comprehensive look at setting up strong passwords

At BITS we offer a wide range of security products and services, including detailed, clear and authoritative guidance on how you can adapt your machine/network access to leverage the enhanced security offered by passphrases.  Contact us for more information.