Don’t use a password; it’s time to use a “passphrase”

Featured

Consumer:

Posted 341 days ago by Tony Anscombe

With news of well-known websites such as LinkedIn and others suffering high profile password breaches, awareness of password security should be at an all time high.

Here are the facts: the traditional password is dead.

Gone are the times when you could use a traditional password that might have been based on your name, your pet’s name or even your birthday. Our predisposition to use easy-to-remember words or numbers with a linear base as in 1,2,3,4 or even 5,6,7,8 has to change.

Global information security hacking, phishing, spam and all many of identity theft has grown to a level of sophistication where an individual’s “personal data associations” can easily be cross-referenced and so should not be used as the basis of passwords.

Allow us to explain that last paragraph.

If user ‘Sally Mills’ tweets on Twitter that her birthday celebrations are happening on the 5^th of February and she subsequently uses “05FebSally” as her Facebook password, then this is not secure. Automated password cracker software has the ability to trace individual’s public web activity and make these associations to compromise person data security.

What do we need to do then?

As a basis for creating a secure password today you should if possible include ALL and not just some of the following elements:

A mix of lower case and UPPER CASE letters.
An “alphanumeric” mix of both letters and numbers.
So called “special characters” such as @,£, $,^<, _, * or even { and | if your keyboard has them.
If possible, words that do fall into the English (or any other language) — or at least make use of non-standard common words and phrases (nonsense if you prefer the term).

Enter the passphrase!

So at this point users should look to move onward from the simple password and start to look at more sophisticated groups of characters such as “AvGrocks4security!” for example, this is where we see that the passphrase has come of age.

You might like to use something personal to you that can still creates complexity as the basis for your passphrase. So for example these become a lot harder to crack:

Man#Uwrkngwell4ever! (Manchester United Working Well Forever)
IamdaKingof#1choc&iceKreme (I am the king of chocolate and ice cream)

Or rather shorter, even “Neil!luvs2jog” is an improvement upon “password”, “admin” or “12345678” – passwords which are still used with alarming regularity.

Passphrases aren’t just for email accounts either. Users should be taking this route to secure their social networking accounts as well as their cloud-based storage accounts if for example they are using Apple’s iCloud service and others.

Passphrases do not have to be 40 or even 20 characters long as some of the examples we have shown you here to illustrate the point are, but the longer you can make them the more secure they will be and the closer to “military grade” you will be encrypting your own personal data.

Print Story

Email Story

http://www.facebook.com/profile.php?id=788434426 ManOs HawkFire

I use long greek names or words with letters replaced with symbols and numbers in upper and lower case
http://www.facebook.com/profile.php?id=607195754 Dan Wiley

Thanks for the great tip!
http://www.facebook.com/renierjoy Prince Pineda

brilliant!!!
http://www.facebook.com/NillDumont Nill Dumont

Ótima idéia, já fui hakeado algumas vezes, até no FACE… mudando a minha agora mesmo!!!
http://www.facebook.com/profile.php?id=100001747403662 Sergio H Gonzalez

I agree that this is indeed “much more secure ” than passwords to avoid crackers.
Well done.
http://profile.yahoo.com/UMHVNTS25BM2I6UO5BGTSFBEZA Joe

I have always used phrases but only the 1st letter of the phrase. Your Neil loves to jog would be *NL2jitM! (I added in the morning). I generally use a phrase that is silly, has some kind of connection to the site I am on for me but probably wouldn’t make any sense to any one else and every site I’m on (which is about 30, including sites I sell on) has a different silly phrase. I also don’t pass out personal information about myself online which probably helps a little.
http://beartales.me/2012/06/15/dont-use-a-password-its-time-to-use-a-passphrase/ Don’t use a password; it’s time to use a “passphrase” | Bear Tales

[...] This is probably very good advice. I have been using RoboForm and AVG Internet Security for some time now so I don’t have to remember passwords. RoboForm does it for me on all devices. Anyway have a read of this Blog Don’t use a password; it’s time to use a “passphrase”. [...]
http://getprotection.co.cc/?p=293 Mike's Security Blog

[...] via AVG blog [...]
http://twitter.com/joans34 Joan Aguilar

http://xkcd.com/936/

Randall disagrees. I believe length over complexity.
http://www.facebook.com/gordon.dale1 Gordon Dale

sounds interesting
xweque xweque

Good tip. Only a bit old to me. Was YEARS ago I switched to a phrase.
http://profile.yahoo.com/N6S4TOAHXNJ3EV36HBZ6KUQNPI mhnd

complexity is very important to prevent people (machines) guessing your password, but what about brute force ?
the length of the password is the most important, pass phrases should be long but easy to remember
time needed to crack such a password “M@n24%vRr<!" is too much less than the time needed to crack a long pass phrase such as
"I want to walk on the moon 0000000000"
and the second is very easy to remember.

http://www.grc.com/haystack.htm
http://www.facebook.com/john.paul.greenwood John Greenwood

It seems that your suggesting one descent password could be used on all services – this is just asking for trouble. No matter how good your password it’s still at risk from phishing, web hacking, sniffing or capture by Trojans. The best defence has to be using a different password for every site you visit. This may sound like a nightmare, but there are simple solutions.
Start by having a secure ‘core password’ and then add some site unique information to the core. For example, assuming your core password is ‘St1ckl3back’ then for Hotmail you could use hSt1ckl3back7 – the initial letter is the first letter of the site name and the trailing number is the number of letters in the site name. For Google, the password would be gSt1ckl3back6. Obviously you could always use the second letter of the site name and add say 13 to the number of letters to make it more personal.
This allows you to have ONE core password or passphrase, but make it different for almost every site you visit!
Chat soon.
http://www.facebook.com/cindi.eddy Cindi Eddy

I’ve been using pass phrases for at least 2 years. I feel very secure in them. I’ve had people (even my husband) try to guess them and no one has any idea what they may be. I have a different phrase for my email, my banking, and my FB account. To make them even more secure, I have added capital letters within them (with no apparent pattern).
Barry Moss

Too many sites limit you to 8 or 10 characters as a password to make the passphrase practical at this time.
http://brownchickenbrowncow.myopenid.com/ Victor

This is one of the biggest problems with internet security. People are encouraging others to rely on their password or in this case passphrases as if they were all that is needed. Passphrases are not secure in their own! A strong passphrase does not replace the need for other effective security control. People need to be talking less about passwords and more about other steps that need to be implemented, like some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.
http://brownchickenbrowncow.myopenid.com/ Victor

This is one of the biggest problems with internet security. People are encouraging others to rely on their password or in this case passphrases as if they were all that is needed. Passphrases are not secure in their own! A strong passphrase does not replace the need for other effective security control. People need to be talking less about passwords and more about other steps that need to be implemented, like some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.
http://www.facebook.com/napsterN2O Neeraj Vernekar

awesum

Avatars by Sterling Adventures