by admin — last modified Apr 21, 2017 11:09 AM
Thoughts on this month's OUCH! on Passphrases
Passphrases are helpful if you don't use a password manager. Even without a password manager, I prefer passwords over passphrases. There are lots of ways to make passwords memorable. The difference between passwords and passphrases is that passwords are shorter than passphrases for the equivalent complexity (entropy). Have at least one character from each of the four character groups whether you use passwords or passphrases. Thus in the example below, consider using '4Sustain-Easily-Imprison' rather than 'Sustain-Easily-Imprison' —Ned Schumann
SANS OUCH! for April 2017: Passphrases
Passwords are something you use almost every day, from accessing your email or banking online to purchasing goods or accessing your smartphone. However, passwords are also one of your weakest points; if someone learns or guesses your password they can access your accounts as you, allowing them to transfer your money, read your emails, or steal your identity. That is why strong passwords are essential to protecting yourself. However, passwords have typically been confusing, hard to remember, and difficult to type.
The challenge we all face is that cyber attackers have developed sophisticated and effective methods to brute force (automated guessing) passwords. This means bad guys can compromise your passwords if they are weak or easy to guess. An important step to protecting yourself is to use strong passwords. Typically, this is done by creating complex passwords; however, these can be hard to remember, confusing, and difficult to type. Instead, we recommend you use passphrases--a series of random words or a sentence. The more characters your passphrase has, the stronger it is. The advantage is these are much easier to remember and type, but still hard for cyber attackers to hack. Here are two different examples:
Time for tea at 1:23
What makes these passphrases so strong is not only are they long, but they use capital letters and symbols. (Remember, spaces and punctuation are symbols.) At the same time, these passphrases are also easy to remember and type. You can make your passphrase even stronger if you want to by replacing letters with numbers or symbols, such as replacing the letter ‘a’ with the ‘@’ symbol or the letter ‘o’ with the number zero. If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.