Passphrases Are the New Passwords

PassphrasesPassword recommendations have been pretty standard for a long time. But the most recent findings from the US National Institute of Standards and Technology (NIST) show that it may be time to re-think. Passphrases are the new passwords!

Time for a pop quiz. Is the following statement true or false?

It is best for businesses to require that employees create long, random passwords that include mixed-case letters, numbers, and symbols.

For a long time, the prevailing belief was that this statement was true, so many companies included composition rules in their password policies. However, the US National Institute of Standards and Technology (NIST) now believes these rules are hurting rather than helping businesses.

In a perfect world, employees follow their companies’ password policies and create long, random passwords that include mixed-case letters, numbers, and symbols. While it is thought that the longer passwords are strong and thus much harder to hack, they are also   much harder to create and remember, especially if employees are required to frequently change their passwords. As a result, in the real world, employees tend to create shorter passwords and often use tricks such as letter substitution. For example, they might use a zero for the letter “o” and an @ sign for the letter “a” to create passwords such as “MyP@ssw0rd1”. Cybercriminals know these tricks, so passwords like “MyP@ssw0rd1” are far from strong, even though they contain mixed-cased letters, symbols, and numbers. Hey, I followed the rules, right?

Because of these issues, NIST now recommends that organizations follow a different policy including using passphrases, eliminating periodic password changes, and validating passphrases.

NIST Recommendation on Passphrases

NIST recommends using “memorized secrets” — passphrases that are simple, long, and easy to remember.

  • When creating memorized secrets, people do not have to follow any composition rules.
  • They can use any characters they want (including spaces), as long as the passphrases are very long.
  • Passphrases without special characters are much easier to remember.
  • Avoid creating a memorized secret consisting of family members’ names or other personal information.
  • Example of a passphrase: potbellied kitty hearts rule

As a manager, it is important to keep in mind how many passphrases employees will need to remember. You want to avoid a situation where employees start writing down multiple passphrases in order to remember them. A better option would be to provide a password manager app. Employees could create and use a passphrase to access the password manager.

Eliminate Periodic Password Changes

NIST recommends that the practice of requiring employees to change their passwords periodically (e.g., every 90 days) be eliminated. Here’s why: An expired password usually does not motivate people to create a brand new strong password, according to Grassi. Instead, it motivates them to change a few characters in the old password or follow the next logical progression in a password system they developed (e.g. add the next sequential number). Frequent password changes can also compel people into using another account’s password so that they have one less password to remember. All of these actions can result in weak passwords. Admit it – how many of you have done this very thing when forced to change you password every 90 days?

The bottom line is that memorized secrets or passphrases should not have an expiration date. The only time a passphrase needs to be changed is if it has been compromised or an employee requests a change.

Not Sold on the Passphrase Recommendation? There Are Other Options

NIST’s recommendations represent a significant divergence from current password practices. If you are not sold on the proposed changes, there are other ways to mitigate the risks brought about by weak passwords. For example, you might consider using two-step verification. NoWorriesIT can go over all your options and help you implement the solution you feel is best for your business. Call us at 410-751-7650 for a complimentary IT Review to discuss your tech concerns.

About The Author

Jean Burgess, Marketing Manager

Jean Burgess, Marketing Manager

Jean Burgess is Marketing Manager for NoWorriesIT, where she is continually surrounded by techno-speak and computer gear throughout the day. From Jean's desire to understand this alien world of Cloud Computing, Remote Monitoring and Management, Data Backup and Disaster Recovery, and Network Security sprang this blog -Thoughts From A Wannabe Techno Geek. Her goal: to be a liaison between the knowledgeable NoWorriesIT system engineers and the small business reader in an entertaining and informative manner.

« Previous Post

Next Post »

Leave a Reply