2016 saw a number of major cybersecurity breaches impacting prominent individuals and major corporations. Whilst some of these breaches were caused by sophisticated hacking attacks, a not-insignificant number resulted from an easily fixable source – weak passwords. Rather than trying to teach their employees to devise increasingly complex passwords that are harder to crack, many organisations have focussed on a different approach: encouraging their staff to use passphrases instead.
Passwords and passphrases
What is the difference between passwords and passphrases. Whilst both can be used as authentication factors, the difference is that a password is any connected sequence of characters making up a single word or number, whilst a passphrase is a sequence of connected words and numbers. The words or numbers in a passphrase are typically connected by special characters such as @,*,%, etc. Thus, an example of a password is: Happy; an example of a passphrase is: Happy#isonewho@sings.
A passphrase at its core should consist of a phrase that is memorable but not so obvious that a hacker could easily guess it. the@Purple*dog is an example of such a passphrase, whilst a person’s first and last names tied together would qualify as a passphrase, but would likely be much less secure.
The top reasons for using passphrases instead of passwords are:
Ease of memorisation
A secure password is one that is long enough to be hard to crack by brute force methods, and random enough to defeat so-called “dictionary” hacks using lists of known words. The problem is that such passwords can be hard to remember, defeating their purpose. Passphrases, on the other hand, satisfy security purposes by being both long and complex, and are also easier to remember than randomly complex passwords.
They satisfy security rules
Passphrases can easily be long enough to make them difficult to crack and the use of different cases, punctuation and special characters allows them to easily satisfy security rules that mandate complexity.
Passwords are susceptible to cracking
Cyber criminals have developed sophisticated tools to make cracking passwords an art form. Dictionary hacks make it easy to crack any single-word password, and completely random passwords typically must be short to be easily remembered, making them subject to brute force hacking methods.
Passphrases are extremely difficult to crack
Most password cracking tools lose their effectiveness beyond 10 digits or so, making passphrases, which can easily be longer than that, very hard to crack. Their length, combined with the addition of random punctuation, cases, and special characters allows the best of them to be almost immune to cracking.
Operating system support
Passphrases are supported by major operating systems including Windows, Linux and Mac, which allows passphrases of up to 127 characters.
If your company is looking to increase the security of its authentication procedures, you may want to consider encouraging the use of passphrases rather than passwords among your staff. The combination of memorability and security make passphrases more effective than passwords in many cases.