The Pa$$w0rd Problem
As this post from funnyordie.com demonstrates, passwords are a source of frustration for many of us. After all, we only have so much brain power to devote to passwords, and if every site requires eight or more characters plus a number, an uppercase letter, and a symbol, users are naturally going to economize in other ways, like reusing the same password for multiple sites or basing those passwords on things that are easy to remember, like pets’ names and birthdays. It’s all led to a world filled with passwords that are hard for people to remember, yet easy for cybercriminals to crack.
Not long ago, the organization responsible for introducing these password guidelines roughly 20 years ago, the National Institute of Standards and Technology (NIST), did a remarkable thing. They admitted that their guidelines simply weren’t working anymore, and they issued new guidelines designed to make passwords easier for people to remember but difficult for others to guess and for malware to crack. The new recommendation is to scrap passwords altogether in favor of passphrases.
What’s in a Passphrase?
A passphrase, as NIST defines it, is a “memorized secret,” that is, a sequence of words that holds meaning for the user but seems random to anyone else. For example, I have a collection of trinkets on my desk. They sit relatively still, in the same order from left to right: a pair of reading glasses, a purple post-it note dispenser, a yellow stress ball shaped like an apple, and a tiny mahogany Buddha a friend gave me. “Glasses purple apple Buddha” satisfies the passphrase requirements and, according to one online password checker*, it would take a medium-sized botnet 35 nonillion years (that’s 34 zeros) to crack. Plus, I’ll think of that passphrase every time I look at any of those objects, multiple times a day, which will help with memorization. If you can add some numbers and symbols to it without making it too difficult to memorize, all the better: “Gla55e5 purple apple&Buddha” takes 726 nonillion years. Even if someone were to sit at my desk, there are at least 30 objects to pick from, and they wouldn’t know what aspect of an object I chose to represent it. “Glass purple apple Buddha” could just as easily be “Reading postit stress mahogany” (21 undecillion years, that’s 66 zeros).
This method takes advantage of two human strengths. First, it allows the user to select words with which they are familiar and comfortable, rather than an incoherent string of characters. Second, it allows users to create a mental picture of their passphrase. It’s easy for me to close my eyes, picture my desk, and see those four objects. Associating the passphrase with an easily conjured mental image makes it easier to remember.
While the passphrase is a more human-friendly security approach, there is still one big problem. Many of us have dozens of online accounts to maintain, and it simply isn’t feasible to create and memorize that many passphrases.
That’s where password managers come in. A password manager is an app that generates and remembers strong passwords for you. All you need to remember is one master passphrase to unlock your password manager. Password managers can be incredibly convenient and may reduce your overall risk by enabling you to use unique, strong passwords on all your accounts. Yes, there is always a chance that the password manager app could get hacked, but the risk is much lower compared to the alternative of using weak passwords and reusing them across multiple sites. Many cybersecurity experts recommend using a password manager, and you can learn more about some popular options in this article from CNET.com: https://www.cnet.com/news/the-best-password-managers-directory/.
One Last Thing
NIST also points out that, while passphrases may be harder to guess and take longer to crack, neither passwords nor passphrases are optimal as the sole means of protecting sensitive data. In addition to moving to more secure passphrases, you should enable multi-factor authentication on your accounts whenever the option is available.
*These sites can be fun to experiment with but only use hypothetical passwords. Never enter any of your real passwords in a site like this.