Let’s face it – passwords can be a pain. Complex and unique options are hard to remember, but reusing the same password across multiple accounts is even worse. The solution? Think less of random strings of characters and more of whole words or phrases.
We all know why passwords are so important. According to Verizon, 83% of initial attack access is gained through stolen credentials. There are some obvious rules to protect yourself, such as the need to avoid ‘keyboard walks’ (like ‘qwerty’ or ‘12345’), a significant date, or even a favorite sports team or loved one’s name.
These are major red flags because they’re relatively easy to guess. So, is making passwords more complex the answer?
Hard to remember
You might think strength lies in a seemingly random collection of letters (some of them capitalized), numbers, and special characters. The problem is that such passwords aren’t as random as you might think. User behavior is driving a convergence in passwords, rather than a divergence: they’re becoming more similar, thanks to the same old patterns cropping up repeatedly.
Why does this happen? Because these complex passwords are difficult for people to remember, they’ve come up with ways to cope with security demands, often by defaulting to the same, familiar patterns. For example:
- A common dictionary word or keyboard walks as the root phrase
- Capitalized first letters
- Number(s) and a special character at the end
- Common character substitutions (for example, @ for a, or 0 for o)
According to this approach, the word ‘complicated’ could be rendered as ‘Complic@ted1!’. That might pass muster in most organizations, meeting default Active Directory password policies.
However, attackers are very familiar with these strategies, which are easy for computer software to guess. Criminals use their knowledge to their advantage, optimizing their brute-force and hybrid dictionary attacks.
Strength in length
It’s easy to see why users could be tempted to use the same password for multiple accounts. Bitwarden found 68% of internet users manage passwords for over 10 websites – and 84% of these people admit to password reuse. This greatly increases the likelihood of a password becoming compromised.
One simple way to strengthen all the passwords in your active directory is to make them longer, rendering them harder to crack through brute force and hybrid dictionary attacks.
This can be effective – in many ways, the longer the password, the stronger the password. However, we’re once more faced with the complexity problem. Long strings of random characters are very difficult for end users to remember, potentially putting us back to square one.
The solution is to design long passwords that you’ll actually remember. That’s where passphrases come in. Let’s look at an example: below we have two potential passwords, one just eight characters in length, the other almost three times bigger, at 21 characters.
Fridge-Elephant-Phone
84”fhg#l
Isn’t the second password more secure because it’s more complex? Not necessarily.
The first example has length on its side. Perhaps more importantly, which of the two are you actually going to remember?
For most users, it’ll be the longer phrase.
The US authorities have recognized the benefits of passphrases. The FBI points to guidance from the National Institute of Standards and Technology (NIST) advising that password length is more important than complexity. “Instead of using short complex passwords, use passphrases that combine multiple words and are longer than 15 characters … Strong passphrases can also help protect against personal data breaches,” notes the FBI.
Top tips for a strong passphrase
The move from passwords to passphrases may seem daunting, but some simple approaches can help. For instance, the UK’s National Cyber Security Centre recommends combining three random words, while the Canadian Centre for Cyber Security says a passphrase should be at least four words and 15 characters in length.
Random word generators can be helpful, while you could even suggest that end users deliberately misspell one of the words – as long as it’s still memorable. Here are some tips for creating good passphrases:
- Be unpredictable: Randomness is key with passphrases. You don’t want to pick three connected words, such as ‘Michael-Jordan-Basketball’. The same goes for words or phrases connected to your specific organization or industry – which is why with Specops Password Policy, you can add custom dictionaries of blocked words to your Active Directory.
- Never reuse: This might seem obvious, but it’s a difficult habit to stamp out. With a tool like Specops Password Policy, you can continuously scan your Active Directory for compromised passphrases.
- Enable MFA: Multiple layers of authentication are essential to boost your security, perhaps involving a passphrase, a one-time code and a biometric measure, like a facial scan. Of course, it isn’t infallible, but it does make life that much harder for hackers.
Improve security and user experience
Part of the problem is the sheer inconvenience involved with developing secure passwords. That’s why Specops Password Policy is simple from an admin point of view: you can choose whether to support longer passphrases or simply retain more traditional passwords and decide how to present information to the end user.
It’s also crucial to develop a smooth and straightforward user experience. The Specops Authentication Client offers dynamic feedback, including real-time insights to help users meet the new policy. You can also offer length-based ageing, which ‘rewards’ users by providing them with more time between resets when they choose a longer password.
If you’re interested in making the move from passwords to passphrases with minimal hassle, speak to an expert today to learn how Specops Password Policy could fit in with your organization.
Sponsored and written by Specops Software.
Comments
johnlsenchak - 5 days ago
The biggest problem with using "Fridge-Elephant-Phone" and "84”fhg#l " is that a lot of websites will not accept those special charters
I prefer to use base 64 to encode words and charters and then use the results as a password You get some seriously good password randomness that's hard to crack
Example starting with #password# gets you "I3Bhc3N3b3JkIyA" as a password . I dropped the "=" at the end