It’s Time to Convert from Passwords to Passphrases

Friday, June 08, 2012

Stacey Holleran


How to establish an easy-to-use passphrase system to protect yourself and others

The traditional password must die. The whole concept, which is based on a single word and has since been updated to include a minimum length and “at least one uppercase and lowercase letter, and one number or symbol” is fatally flawed.

This is because we, as human beings, tend to fall into patterns with our passwords, even when we attempt to employ strategies to “fool” prying eyes and tools.

It’s time for a fundamental change in password construction. This change has to be so universal that the word “password” exits our vocabulary.

monkey-typing_StaceyH060612_InfosecIsland“Passphrase” Must be the New Normal

A review of commonly used passwords reveals that most of us are just trying to get by with a linear pattern that we can easily remember.

And, for those of us expending effort to utilize a “unique” password, we are actually quite similar; we all have a nickname we like to use, a beloved pet’s name, a child’s name or a hobby that is special to us, but is more common than we think.

Making a common denominator truly unique involves a phrase versus a single word. For example, your child’s name may not be unique—in fact, their name plus the year in which they were born may not be unique—however, a phrase that conjures up a thought related to that child is most likely entirely unique.

Consider this example: AshleyLovedDisney!in11 (You took your daughter Ashley to Disney last year and she loved it).

Here’s another one: ##96FootballIsAWESOME## (You play football and your jersey number is 96)

The above examples have the following in common:

  • They meet common password strength criteria  to include upper and lowercase letters, a number and a symbol
  • They combine multiple words, numbers and symbols to create a unique phrase
  • They are memorable for the user

For the individual, passphrases of this type are much stronger than the average password.

Implementing Passphrases as a Business Standard

While the above passphrase examples are great for personal use, it’s important for IT professionals to enforce a business-standard passphrase requirement in the enterprise environment. This standard should make it easy for employees and representatives of the company to utilize secure-yet-memorable passphrases for all company-related business.

Here are some important tips for passphrase implementation in the business environment:

  • Employees should never re-use personal passwords/passphrases in the workplace environment
  • If an employee works across multiple platforms requiring authenticated entry, they need to be able to employ a passphrase pattern that is unique yet easy for them to transfer between platforms
  • If your company’s name is also used as an acronym, encourage employees to use the company’s full name/acronym in a unique way within the passphrase

An example of a business passphrase for someone using multiple platforms on behalf of Smith Widget Company (SWC) would be:

  • ImTweetingSmithWC2600!! (A Twitter password that incorporates the company name and headquarters street address number)
  • ImFacingSmithWC2600!! (The Facebook password, which also incorporates the company name and headquarters street address number)
  • JJNsWrknAtSmithWC2600!! (The user’s individual password to the company system, which incorporates the individual’s initials with the standard pattern already used)                      

A good standard practice is to have employees change their business-related passphrases every three months. All passphrases should be changed simultaneously to maintain consistency for the individual.

Here is the example of JJN, who used the above passphrase pattern and now must change to a new one:

  • *SmWiCoTWTR12* (The Twitter password, still incorporating the company name (but in a different way), with different symbols and the current year)
  • *SmWiCoBOOK12* (The Facebook password, which incorporates the same convention as above)
  • *SmWiCoJJN12* (The user’s individual password to the company system, which incorporates the individual’s initials with the standard pattern already used)

Note the best practice of completely changing the passphrase (versus simply changing out a number or symbol). Also, in the case of popular online locations, standard abbreviations should not be used or shared across channels (to prevent someone who has accessed one from guessing the other).

The Time is Now

The sheer volume of attacks proliferating the Internet and business headlines should be a wake-up call to anyone utilizing a password (hint: that’s pretty much everyone). Now is the time to practice vigilance, both professionally and personally, to secure personally identifiable information (PII) and business systems.

This is true of current platforms and channels as well as newly established accounts and security applications such as firewalls, which come with default passwords that must immediately be changed.

Stacey Holleran is Sr. Public Relations Manager for ControlScan, a provider of Payment Card Industry (PCI) Compliance and Security services headquartered in Atlanta, Georgia.

Possibly Related Articles:
Network Access Control
Information Security
Passwords Authentication Best Practices Data Loss Prevention Network Security Policies and Procedures Default Settings Passphrases
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.