Passphrases and passwords - knowing the difference and staying secure during Cybersecurity Awareness Month, and beyond

10/01/2021

Dr. John Nicholas, professor of computer information systems and co-founder of the CIS Cybersecurity degree track and faculty fellow of CISS, will be posting cybersecurity best practices weekly updates throughout October. This week Nicholas discusses passwords, passphrases and how to keep them organized.

Best Practice 1: Passphrases—not passwords

Since 2017, the National Institute of Standards and Technology has recommended using passphrases instead of passwords. A passphrase is similar to a password in usage but is generally longer for added security. It is the length of a passphrase that makes it more secure than a password.

Passwords that consist of random numbers, uppercase and lowercase letters and special characters can be hard to remember. Once we think we have a good one we tend to use the same password for other logins. This is a very poor cybersecurity practice that most people have made into a habit.

Passphrases leverage things that we know are paired, like the letters in a word. Words are easier for our brains to process than a group of randomly selected letters, numbers and symbols. In other words, when we see the word ZIPS our brains see it as one thing and not as four separate letters Z-I-P-S. We do not process each letter individually. From a security perspective, using easier-to-remember passphrases makes us less likely to write down our passwords somewhere or store them in a file on our devices (which is a horrible security practice).

NIST recommends using a passphrase that is relatable to you, easy for you to remember, but hard for others to guess. It should be a group of words that combined are 15 to 20 letters in length. That could be the names of four streets your drive down on your way to work, the starting line-up of your youth basketball team or your favorite line from your favorite song when you were in high school (just don’t tell anyone else).

Passphrases are easier to remember and are longer in length than most passwords making them more secure. However, you do not necessarily replace all your passwords with passphrases, but you certainly should for your main email, banking, and financial institutions. But even then, remembering all of them can be daunting. That is why using a password manager is an important piece of personal cybersecurity.

A password manager is a software package that allows you to store your passwords in a safe, encrypted file. This means even if a hacker gets your master password file, they will not be able to read it. The password manager can randomly generate new passwords for each login you have. This eliminates the need for memorizing, writing down or storing your passwords in an unencrypted file. Most password managers have a security scorecard built-in and will guide you to change passwords used on more than one site.

So, you set your hard-to-guess passphrase for the password manager and that is the only password/passphrase you have to remember. The password manager will then log you into most sites automatically, eliminating the need to type in passwords over and over. This also reduces the ability for a camera of a cybercriminal with a keen eye from capturing your passwords as you type them. That is a common practice in public places such as restaurants and airports. There are many password managers available and many anti-virus companies provide a password manager as well.

While cybersecurity professionals are working hard to keep you safe, you must help us by protecting yourself. An easy place to start is by following the tips above. Next week, we will discuss Virtual Private Networks.