Unique Passwords Matter: Here is Why

Passwords, what are they good for? It depends…
This article is written based on CMMC version 1.0, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.

Passwords, what are they good for? It depends…

We have all seen the screen when logging in:

“Your password is about to expire!  Click here to choose a new password before you log back in”

Often this is the preamble to the excruciating exercise of choosing a password that must be 8 characters long, not be decipherable by any known means, include one Chinese character, one Greek character, and cannot be the same as the last 100 passwords you have created.  Ever.

By the way, make sure you memorize it and NEVER WRITE IT DOWN OR SHARE IT WITH ANYONE!

Easy, right? Well…actually…it can be!

Most users we encounter feel that the current expectations for passwords, were developed by a WWII war general who dabbles in psychology.  The problem is, almost all of the above rules are outdated.

Cyber Security Password

A Better Authentication

First let’s ditch the term “password”.  This technical term immediately conjures images much like the introduction to this blog.  Instead, let’s use the term “PASSPHRASE”.

Why?  Answer this:  Why does the string of characters have to be a “word”?  It does not have to be a single word, nor does it have to be confusing or hard to remember.

But what should it be?  When we talk about strong passphrases, there are two criteria that stand out among all others:

It must be unique and it must be long!

When we say a unique passphrase, we mean something not used for any other logins.  That is, every passphrase you use, needs to be unique to a COMPUTER, not necessarily to you, a human.  More on that in a moment.

When we talk about a long passphrase, we mean longer than 12 characters.  There has to be some variance of characters as well, preferably a mix of letters (upper and lower case), numbers, and if you like, some punctuation or special characters.

Really, it is the length of the passphrase that matters the most, because…math.

Let’s say your passphrase is one character and you have to use a lowercase letter. You’d only have twenty-six (26) different passphrase possibilities.

But what if you can use one upper or lower case letter,  Now, you have 52 possibilities. Not a lot of possibilities, but better.

Let’s say your passphrase is two letters long (lower or upper case): now the computer must cycle through 52 times 52 (or 522) possibilities to break your passphrase. That’s three thousand eight hundred forty-four (3,844) different possibilities.

If your passphrase is ten letters long (lower or upper case), the computer will have to cycle between 52 raised to the tenth power, or over one hundred forty-four quadrillion (that’s with a “q”) different possibilities.

In other words, passphrase length beats passphrase complexity all day long.

But How Does that Help?

Here is where the rubber meets the road.  Grab a piece of scratch paper and let’s talk about ways to secure your logins with more security and less headache!

Think of a story or sentence FOR THE YEAR (in this case, 2019) that you can remember.

For this example let’s use: “I dropped my ice cream”

Now let’s add something that will allow you to remember it but also increase it’s uniqueness: “I Goo Dropped gle my ice cream”

If you didn’t catch it, that would be a login for Google services.  You will want to do something similar for Amazon, Microsoft, your bank name or what have you, just substitute what you will remember about that service, in to the sentence every time you create a passphrase for it.

Example: “I Ama Dropped zon my ice cream”

Next, let’s add some numbers and a special character just for fun: “ I Goo Dropped gle my 5 ice cream$”

There you go!  Long, unique, and even complex!  Can you remember that?  We bet you can.  Plus, you don’t have to write it down, tell anyone, store it in an on-line vault, or even strain your brain to make it work!

The icing on the cake: Add multi-factor authentication (free for the most popular brands of e-mail accounts and services) to your login…and POOF, you have “enterprise grade” information security for all the logins you care about!

Google Authenticator is free, as is DUO Security for under 10 users. We highly suggest you include one of those as a second factor of authentication, for any application/site you don’t want others to gain access to.

To learn more about multi-factor authentication, click here.

Beryllium cares.  That’s why we talk about this stuff.  If you have questions about securing your information, reach out to us, and we will be happy to help you solve your information security puzzles, together.

Derek White
Chief Product Officer
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.