Passwords, what are they good for? It depends…
We have all seen the screen when logging in:
“Your password is about to expire! Click here to choose a new password before you log back in”
Often this is the preamble to the excruciating exercise of choosing a password that must be 8 characters long, not be decipherable by any known means, include one Chinese character, one Greek character, and cannot be the same as the last 100 passwords you have created. Ever.
By the way, make sure you memorize it and NEVER WRITE IT DOWN OR SHARE IT WITH ANYONE!
Easy, right? Well…actually…it can be!
Most users we encounter feel that the current expectations for passwords, were developed by a WWII war general who dabbles in psychology. The problem is, almost all of the above rules are outdated.
A Better Authentication
First let’s ditch the term “password”. This technical term immediately conjures images much like the introduction to this blog. Instead, let’s use the term “PASSPHRASE”.
Why? Answer this: Why does the string of characters have to be a “word”? It does not have to be a single word, nor does it have to be confusing or hard to remember.
But what should it be? When we talk about strong passphrases, there are two criteria that stand out among all others:
It must be unique and it must be long!
When we say a unique passphrase, we mean something not used for any other logins. That is, every passphrase you use, needs to be unique to a COMPUTER, not necessarily to you, a human. More on that in a moment.
When we talk about a long passphrase, we mean longer than 12 characters. There has to be some variance of characters as well, preferably a mix of letters (upper and lower case), numbers, and if you like, some punctuation or special characters.
Really, it is the length of the passphrase that matters the most, because…math.
Let’s say your passphrase is one character and you have to use a lowercase letter. You’d only have twenty-six (26) different passphrase possibilities.
But what if you can use one upper or lower case letter, Now, you have 52 possibilities. Not a lot of possibilities, but better.
Let’s say your passphrase is two letters long (lower or upper case): now the computer must cycle through 52 times 52 (or 522) possibilities to break your passphrase. That’s three thousand eight hundred forty-four (3,844) different possibilities.
If your passphrase is ten letters long (lower or upper case), the computer will have to cycle between 52 raised to the tenth power, or over one hundred forty-four quadrillion (that’s with a “q”) different possibilities.
In other words, passphrase length beats passphrase complexity all day long.
But how does that help?
Here is where the rubber meets the road. Grab a piece of scratch paper and let’s talk about ways to secure your logins with more security and less headache!
Think of a story or sentence FOR THE YEAR (in this case, 2019) that you can remember.
For this example let’s use: “I dropped my ice cream”
Now let’s add something that will allow you to remember it but also increase it’s uniqueness: “I Goo Dropped gle my ice cream”
If you didn’t catch it, that would be a login for Google services. You will want to do something similar for Amazon, Microsoft, your bank name or what have you, just substitute what you will remember about that service, in to the sentence every time you create a passphrase for it.
Example: “I Ama Dropped zon my ice cream”
Next, let’s add some numbers and a special character just for fun: “ I Goo Dropped gle my 5 ice cream$”
There you go! Long, unique, and even complex! Can you remember that? We bet you can. Plus, you don’t have to write it down, tell anyone, store it in an on-line vault, or even strain your brain to make it work!
The icing on the cake: Add multi-factor authentication (free for the most popular brands of e-mail accounts and services) to your login…and POOF, you have “enterprise grade” information security for all the logins you care about!
Google Authenticator is free, as is DUO Security for under 10 users. We highly suggest you include one of those as a second factor of authentication, for any application/site you don’t want others to gain access to.
To learn more about multi-factor authentication, click here.
Beryllium cares. That’s why we talk about this stuff. If you have questions about securing your information, reach out to us, and we will be happy to help you solve your information security puzzles, together.
Beryllium InfoSec Collaborative (“Beryllium” for short), is an information security and cyber security company located in Minneapolis, Minnesota. As a small business owned by veterans, Beryllium has 40-plus years of industry experience across industry & government. We are National Institute of Standards and Technology (NIST) information security experts, who know the balance of security needs and operational requirements. NIST provides the definitive compilation of guidelines that all other standards are derived from, either partially or wholly.
Beryllium is unique, in that we use strategic collaboration, education, and a holistic approach to information security & cyber security. From small to medium size businesses (SMBs), to enterprise organizations, our expertise of the NIST information security & cyber security guidance allows us to build unique, compliant & cost-effective solutions for any organization.