National Cybersecurity Month – Part Three: Using Passphrases

password_cartoon

We all know that having a strong password is a good idea, and that a more complex password is stronger than a simple one. But the pitfall of this is trying to remember a complex password, especially when we are expected to remember so many different ones. This frustration leads to writing them down somewhere. Which is a lot like leaving your house key under your doormat.

Complexity ≠ Confusion

If you start thinking about your password as a passphrase, you can improve your security practices with very little effort at all.
The average human brain can only reliably remember a maximum of 10 “random” letters and numbers in sequence. But we can easily remember hundreds or even thousands of words in sequence. (Stage actors often will be able to memorize not only their own lines, but the lines of every other cast member!)

Remember, a computer doesn’t see your password as anything other than characters; it doesn’t read it as words. As most websites allow the use of an UNDERSCORE in password fields (some even have begun to allow SPACES), you should take advantage of this feature to create very strong, very easy to remember passphrases.

Example:
“a@s3D4f%g^h7J8”
“January_2014_was_cold”

According to Microsoft Security, these two passphrases are equally strong. However, the second one is much easier to remember.

Convenience as the Enemy of Security

Even with a complex, easy to remember passphrase, we sometimes get tired of typing it in. Especially for accounts we need to access regularly. In these cases, many people will opt to allow their browser to save their passwords for specific websites.

The problem with this is two-fold.

Firstly, if someone is able to open your browser, revealing all of your saved passwords takes only three mouse clicks. If you are using some browsers, which sync your account information across all devices you use, (including auto-filling your passwords…) then gaining access to your browser on one system could potentially give someone access to ALL devices you have synced to that account.

Secondly, we are also faced with the dilemma that we need to use passwords in so many different places, that most people end up using the same password for multiple accounts. So even if you only allow the browser to store one of your passwords, chances are pretty good that you’ve used the same password for at least three other accounts.