Do not reuse passwords. Utilize both passphrases and passwords, keeping track of them with the assistance of a password manager application or service.

How many websites do you use that ask you for a password? When is the last time you had to enter a password? I am willing to bet the answers are ‘a lot’ and ‘recently’. What are mere mortals to do when they cannot remember 20 different passwords that are each more than eight characters in length? We reuse passwords of course!

The problem with passwords

A password’s two defining characteristics are its complexity and length.  Complexity deals with the types of character categories required in creating the password, with the most common being upper-case alphabet characters (ABC…), lower-case alphabet characters (abc…), numeric characters (123…), and non-alphanumeric characters (#$%…).  Length is nothing more than how many characters are used to create the password (five, nine, 15, etc.).  Simply put, character-for-character, length is more important than complexity when creating a password.  So where do businesses and people in general go wrong in creating passwords?

Unfortunately when creating a password the emphasis is usually put on complexity, not length.  This often times makes the password too difficult to remember.  Keep in mind that a password that is difficult for a person to remember does not at all translate to the level of difficulty or time required to crack the password.  When a business weighs more heavily the complexity requirement, people tend to create short passwords that are more easily remembered. In reality the password that was just created is probably not all that great of a password due to the lack of emphasis on length.

What is so wrong with reusing passwords

Password reuse is a huge problem. Imagine you use the same password for your favorite online shopping website as you do to login to your work computer and your personal email, banking, healthcare, and social media accounts. Then one day you see on the news your favorite online shopping outlet was hacked and login data was stolen. Guess what? That hack mentioned on the news did not just happen. It very likely occurred months before the news reported it. Before the media had a chance to report the breach your data was sold and your login credentials were being tried on dozens of websites.

And no, those attempts to use your login information on various websites were not being individually entered by a human. They were being attempted using an automated technique called fuzzing. And because you reuse that same password to login to your other accounts, someone in the world now has access to your bank account, medical history, and possibly able to remotely access your work email.

Password versus passphrase

You may be asking ‘What the heck is the difference between a password and a passphrase?’ Ultimately not much. It is still something ‘that you know’ in terms of accessing an application or website that is trying to ensure you are who you say you are. The difference is more about how you go about creating this piece of the authentication process.

Think of a password as a word with complex characteristics, such as upper and lower case characters, numbers, and special characters. Compare this to a passphrase which is more like a run-on sentence. Keep in mind your business may very likely implement complexity requirements, so a passphrase is still going to implement those minimum characteristics.

Creating a passphrase

Take for example the password C0mpu7er$. This password meets all the typical criteria in terms of complexity and length. It even looks like the word ‘Computers’. The problem is that automated password cracking software can sometimes account for replacing the letter ‘O’ with the number zero, replacing the letter ‘T’ with the number seven, etc. which can make cracking passwords a trivial process. Additionally, a lot of people are going to make small changes to their password, for example changing the season in this password from Summer2019! to Fall2019!

So what about creating a passphrase? Look to the left or right of your computer. Do you have a picture, a plant, or other item? That can be the basis of your passphrase. The sentence ‘I have a plant to my left’ can be turned into ‘ihaveaplanttomyleft’. Because of the aforementioned complexity requirements you can throw in an uppercase, number, and/or special character and you have a much more difficult to crack password. ‘ihaveaplanttomyleft’ can be turned into ‘Ihaveaplanttomyleft!2019’.

While the plant passphrase is longer, it is also easier to type and remember than C0mpu7er$. You can use lyrics to a song, a quote from a book or movie, or any number of easy to remember phrases as the basis for your passphrase. You may be thinking ‘Great, now I have to remember an even longer passphrase. How does that help me?’

Password manager to the rescue

Password manager applications and services are largely the same in that they store all of your passwords and passphrases. Where they generally differ, other than price, is if you can access the passwords remotely or via a mobile app, how easy it is to navigate the interface, and if they are able to integrate into your Internet browser (i.e. Firefox, Chrome, Safari, or Internet Explorer). So if a password manager can automatically generate a really complex password why do I even need to remember a passphrase? Great question!

Recommended strategy

I recommend businesses use the following strategy. Educate your employees on the process of creating a passphrase. Then as they log into the computer with a standard account, they will be using a passphrase that will be much more difficult to crack than a password. While logged into the computer, when needing to access a certain application or website, make available to your employees a password manager. The password manager can create significantly long and complex passwords and store them on a per application or website basis. In a business environment, if single sign-on (SSO) is implemented, an employee may only have to ever remember a single password.

Whatever method, pick one and use it

A password manager is by no means an end-all be-all risk management strategy. By no fault of the password manager companies, if your computer has been compromised with a keylogger, and a script is sending those keystrokes to someone somewhere in the world, then your master password to login to the password manager may very well be compromised. However, if you employ other defense-in-depth measures, then the chances of a keylogger being installed on your computer in the first place can be greatly reduced which then significantly increase the effectiveness of a password manager.