Passwords are so last year… Use “passphrases” instead
By Stephanie Hopper, Information Security Engineer
Passwords are something you use every day, from accessing your email and banking online to purchasing goods or accessing your smartphone. However, passwords also make you vulnerable. It is your weakest security element. If someone learns your password, they can steal your identity, transfer your money, or access your personal information. Strong passwords are essential to protecting yourself. Instead of thinking about them as passwords, we should be thinking of phrases – passphrases.
What is a Passphrase?
Passphrases are simple phrases or sentences that are easy to remember, but hard to hack. Here is an example:
Where is my Mind?
This passphrase is strong because it is 17 characters long and uses upper and lower case letters as well as symbols (spaces are nothing more than symbols). You can make your passphrase even stronger if you replace letters with numbers or symbols, such as replacing the letter “I” with the “!” symbol, the letter “o” with the number zero, or the letter “a” with an “@.” If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.
Using Passphrases Securely:
Be careful how you use passphrases. Using a passphrase won’t help if criminals can easily steal or copy the phrase.
- Be sure to use a different passphrase for every account or device you have. For example, never use the same passphrase for your work or bank account that you use for your personal accounts, such as Facebook, YouTube or Twitter. This way, if one of your accounts is hacked, the other accounts are still safe. If you have too many passphrases to remember, which is very common, consider using a password manager or a “password safe.” This is a special program that securely stores all of your passwords or passphrases. That way, the only passphrases you need to remember are the ones to your computer or mobile device and the password manager program. Additionally, many password safe applications automatically encrypt your information.
- Never share a passphrase or your strategy for creating them with anyone else. Remember, passwords and passphrases are secrets and should be regarded as highly confidential. If anyone else knows your passphrase, it is no longer secure. If you accidentally share your passphrase with someone else or believe it may have been compromised or stolen, be sure to change it immediately.
- Just like passwords, avoid easy-to-guess or commonly used passphrases. For example, the phrase, “four score and seven years ago,” is not a good passphrase, since it is so well known.
- Do not use public computers, such as those at hotels or libraries, to log in to a work or bank account. Since anyone can use these computers, they may be infected with malicious code that captures all of your keystrokes. Only log in to your work or bank accounts on trusted computers or mobile devices.
- Be careful of websites that require you to answer personal questions. These questions are used if you forget your passphrase and need to reset. The problem is that the answers to these questions can often be found on the Internet, or even on your Facebook page. Make sure that, if you answer personal questions, you only use information that is not publicly available. Alternatively, you can use fictitious information you have created. Password managers can help with this, as many allow you to store this additional information.
- Many online accounts offer two-factor authentication – also known as two-step verification. This requires more than just your passphrase to log in, such as a six-digit number sent to your smartphone. This option is much more secure than just a passphrase by itself. Whenever possible, always use these stronger methods of authentication.
- Mobile devices often require a personal identification number (PIN) to protect access. Remember, a PIN is nothing more than another password. Longer PINs are more secure. Many mobile devices allow you to change your PIN to an actual passphrase.
- Finally, if you are no longer using an account, be sure to close, delete, or disable the account.
Using passphrases is one of the most effective steps you can take to protect your identity and information.