Replace your passwords with passphrases: Here's how to use them to remain secure

Instead of trying to remember a long and complex password, try switching to passphrases. Learn why they're important and how they work.

istock-528286738password.jpg

Image: designer491, Getty Images/iStockphoto

Passwords were invented in the mid 1960s at MIT, and more than half a century later, they have aged about as poorly as expected. Passwords remain a cumbersome bane of IT departments and users alike. It's frustrating having to remember or rotate them, and if they're too simple they put users and data at risk by being easily cracked or guessed. If they're too complex, there's a higher chance of users forgetting them, fat-fingering them too many times and locking out their accounts or—worst of all—writing them down somewhere and keeping them with the device being used.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Password complexity is a well-meaning requirement; it generally entails requiring passwords to be a specific length and contain three out of four elements:

  • lower case letters
  • UPPER CASE LETTERS
  • Numbers
  • Special characters such as !@#$%^&*()_+

As a result, you'll likely end up with something like this:

B@rlab$keg#1

That doesn't look very fun to type, much less remember.

SEE: Report: SMB's unprepared to tackle data privacy (TechRepublic Premium)

Enter the passphrase, which can eliminate much of these headaches. A passphrase is a sentence rather than a collection of random characters or mutated words ("B@r" for "bar" for instance). It can be something like:

I love B0st0n in the Spring! (note use of zeroes in the word "Boston" to fulfill complexity requirements)

or

RedS0x_World_Series_Ch@mps_2018

However, you should be cautious about using passphrases based on commonly known things about you. The above ideas aren't ill-advised, but if your dog's name is Thunder the passphrase "My dog's name is Thund3r" definitely would be.

Even better would be the use of a nonsensical word. As I gaze around my office I see an engraved bat from Cooperstown, NY, and a basket my wife uses to store stuff. So, I could create this passphrase:

There is a BatBasket 1n my @ffice

Then, when you envision your passphrase, a picture of a bat in a basket should come to mind, helping mnemonic retention.

You shouldn't have much trouble remembering passphrases, but another way to ensure you'll remember is to create a matrix with random words: 

flow

there

denial

element

was

Benign

takeaway

sch!sm

be

is

turn

line

a

I

onsite

bat

box

Indigo

c@nstruct

should

integer

doctor

basket

tentpole

was

Under

1n

side

shy

phoenix

Much

meaning

detail

shed

my

Roadway

tavern

bailout

@ffice

legwork

The passphrase is listed in this matrix; 2-5-3-1-3-2-5-4 is a key which represents the position of the proper word on each line. Print this matrix out, and you will never forget the passphrase.

Even better, IT departments provisioning accounts or systems for new hires or resetting passphrases or configuring replacement systems for new hires (operations which are often conducted remotely these days due to the pandemic, which has necessitated shipping equipment to offsite workers) can include this matrix and then separately text them the key to determine the passphrase. 

This is admittedly a poor man's two-factor-authentication solution, but far preferable to sending passphrases directly through email, text, or instant messaging apps, all of which can be compromised, especially since users have a tendency not to delete such notifications.

SEE: Extra security or extra risk? Pros and cons of password managers (TechRepublic)

Passphrases don't have to be mandated by your organization for you to take advantage of them; so long as there is no onerous maximum character limit for passwords you can start using passphrases today. The passphrase I specified above is 33 characters including spaces, so even if there were a character limit of 20, you could still use "BatBasket 1n my y@rd" for instance.

Finally, you can also store passphrases in a password manager such as Password Safe or KeePass. I wrote an article a while back on how to properly use KeePass, and the same principles apply.

Also see