Many security experts have long advised that passwords be at least eight characters long and contain characters from all four character sets. This advice is largely based on guidelines issued by the National Institute of Standards and Technology (NIST) in 2003. Today, though, password experts say that complexity requirements are counter-productive, and that long, simple passphrases are safer than short, complex passwords. The definitive rebuke of the 2003 NIST guidelines can be found in the XKCD cartoon, below.
Corporations have been the primary enforcers of password complexity. But despite this enforcement, 81 percent of all hacking-related breaches leveraged either stolen or weak passwords, up from 50 percent in 2015 and 66 percent in 2016, according to Verizon’s 2017 Data Breach Investigations Report.
Complexity requirements often result in less secure, more predictable passwords. People try to make the complex simpler by taking shortcuts, even reusing the same password across multiple accounts. Passphrases rely upon length over complexity to make passwords stronger and easy to remember.
Last year NIST recognized this and issued new guidelines promoting passphrases. The revised standards focus on relaxing complexity requirements and requiring mandatory password changes less frequently, among other items. We now know that complexity can result in the creation of weak passwords, and the frequency of change often results in predictable patterns. In other words, if I obtain one password, I can make educated guesses about what your password will be each time it is changed.
In addition to undoing the teachings of complexity, it’s important that cybersecurity experts provide guidance on how to make passphrases strong. Here’s some of ours.
Make the passphrase at least 16 characters long, or even better, make it more than 20 characters in length. Simply moving from an eight-character password to a 16-character passphrase is a significant improvement. Consider the following password and passphrase:
0X3t^R8f vs. “my horse is dizzy”
A 17-character lowercase password has 171 million times more permutations than any eight-character password, regardless of complexity. “my horse is dizzy” is an example of a 17-character password that far surpasses any eight-character password in strength. It also is very easy to memorize and was rather amusing to create.
All character sets should be allowed, but not mandated. The use of two character sets is a strong recommendation. It’s not cumbersome to use both a capital letter and a lowercase letter, although all lowercase or all uppercase letters should also be acceptable. Adding a symbol is one of the best things you can do for a passphrase, but should not be required.
At 23 characters long, “altruistically inclined” is not a very good passphrase. This is due to a type of attack called a passphrase token attack. The use of at least four words is highly recommended, but the minimum of 16 characters should still be adhered to. Using five or more words is far better.
The less common a word or phrase is, the more it can improve passphrase strength. That is, unless you can’t remember it! This can be a fun way to add a novel word to your vocabulary. An example passphrase is “pilots know about cabotage.” And, no, that is not a typo.
The use of a word in a different language is good, and learning a word from an obscure language can be both fun and bolster password strength. Google Translate is a great tool for this. How about “Who kisses a lagan”? According to Google, “lagan” is the Scots Gaelic word for frog.
Although random words are recommended, I am not a stickler on this. I never remember the words in the XKCD cartoon, but I can’t forget “piglet was one cute little dude.” The number of words generally beats the randomness of words.
At the End of the Day
Today’s connected world has made passwords—and passphrases—a necessary part of life. With a bit of know-how and creative thinking you can help your employees and customers create strong, hard-to-crack passphrases.
RANDY ABRAMS, a senior security analyst at Webroot Inc., is passionate about password and phishing education. He has worked in the security industry since 1997. While with Microsoft, Abrams created and administered the process used to ensure new products were released free of viruses and he played a pivotal role in convincing Microsoft to share critical security information with the anti-malware research community.
In 2005, Abrams joined the IT security firm ESET as director of technical education. While at ESET, he was a popular cybersecurity blogger, podcaster, and speaker at numerous security conferences around the world. In 2012, Abrams moved to NSS Labs where he served as a research director focusing on the analysis of endpoint protection testing. He joined Webroot in 2017. Abrams has also served as the vice president of the Association of Anti-Virus Asian Researchers since 2002.