On password security: Forget passwords, remember passphrases!

Password security - Featured image

Every new online account is another Jenga block added to the increasingly wobbly structure of our internet personas. Credentials are being leaked left and right, mostly through no fault of our own. The least we can do is ramp up our password safety so our private codes aren’t crackable in a manner of seconds.

We won’t bore you with incomprehensible numbers. Not yet, at least – you’ll find those further down the page.

Let’s get right into it – here’s how to make a secure password

It’s simple. If you aren’t using a password manager, a good password is:

  1. Difficult to guess
  2. Easy to remember

But, in order to achieve both of these goals, you don’t actually need a password – you need a passphrase.

A passphrase is simply four or five random words strung together. “Correct horse battery staple,” is an example made famous by Randall Munroe, creator of the cult xkcd webcomic. 

The best arguments in favor of passphrases become clear when we examine the arguments against passwords.

Why passwords are bad

You’ll find lists of password-safety dos and don’ts all over the internet, and they all say pretty much the same thing.

  • A strong password is 10-12 characters long, contains alphanumerical and special symbols in varying cases. 

The less a password resembles a real word, the stronger it is. Password strength also rises with the amount and diversity of characters.

But how secure is my password, really?

The problem with passwords is – the harder they are to guess, the harder they are to remember. The average person has to put in considerable effort to memorize a string of ten completely random characters.

This results in people becoming lazy, creating passwords that are too short and simple, based on real words. They rarely change their passwords and reuse the same ones over and over again.

Why passphrases are better

A strong passphrase circumvents most of these issues, while retaining the same, or higher, degree of safety.

Randomly selecting four or five words from a dictionary yields a 25-character barrier between the attacker and the information you want to keep private. Finding a way to remember four words, no matter how disparate in meaning, is much easier than remembering a random string of characters.

If we just add a couple of numbers in between the words, the passphrase checks all of the security boxes.

But how is password security determined?

Password entropy – a measure of randomness

The strength measurement is called password entropy bits. It is a base-2 algorithm of the amount of attempts it would take to crack the password. What?

Imagine creating a password by flipping a coin four times – you type H when it lands on heads and T when it lands on tails. An example would be HTHH.

You could generate 16 different passwords this way, or 2 to the power of 4. We would then say this password has four entropy bits (provided that the hacker knows that there are only two symbols available – H and T). It would take a computer a third of a tenth of a blink of an eye to try all of the possible combinations.

Thus, a password with 60 entropy bits would have 1,152,921,504,606,846,976 possible combinations that would need a brute-force attack. That is considered safe.

But, unfortunately, attackers don’t just jump straight ahead into brute force attacks, trying all possible combinations.

Dictionary attacks

A dictionary attack narrows password-cracking attempts down to a list of common language words and their permutations. 

Dictionary attacks are the reason why lazy passwords, no matter how cleverly hidden the meaning behind them is, are not safe from attacks. Your grandparents aren’t much safer if you set their password to “Gr4n6mA5_wh1E-Fy” instead of “grandmaswifi.”

The attackers first go through a list of common passwords. Here’s a list of the top ten most used passwords:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Hackers have databases of thousands of commonly used passwords that they plug in first. If that fails, they try a dictionary attack. 

After that, they pretty much have no choice but to go brute force, trying every possible combination. The more characters, character types and cases your password has, the more entropy bits it has, and the harder it is to crack.

Passphrases are the way to go – entropy and memorability!

A four-to-five word passphrase is already enough to avoid the common-password and dictionary attacks.

A five-word passphrase that only uses lower case letters will reach around 85 bits of entropy. Just plop in a number and a random capital letter and you’ll be set. Spaces between the words also add to the entropy, but not as much as special characters. 

A good strategy to use when choosing a passphrase is the diceware method – roll a six-sided die and use a word list to randomly generate phrases.

Further steps – password managers and two factor authentication

There are more measures you can take, if you truly care about your online safety

For starters, you shouldn’t use the same passphrase on any two accounts. But, even if you use a mnemonic device to help you remember them, keeping tabs on dozens of accounts can be a formidable task.

Luckily, there are plenty of free password manager software options on the market.

A password manager literally does all the work for you. Just set a master passphrase in the program and let it create and store passwords, as well as automatically fill out any authentication forms you encounter. 

Just be sure to think of a good master passphrase – if that one falls, your entire operation is in jeopardy!

Next, each and every time you are given the chance to use two-factor authentication (2FA), take it.

2FA adds another token of authentication to the process, usually a QR code or an SMS message. Check your mobile app store for some free options.

The bottom line

The outcome of the battle for privacy on the web looks bleak for us regular folk. The depth of influence that data collectors have at their disposal is immense. At the same time, malicious agents are constantly trying to steal the information we have published hoping it would stay protected.

Being mindful about password security is the first step and the least you can do to bolster your online defenses. Keep your password safe. Don’t use the same passphrase on several accounts. Be careful of where and how you input your authentication credentials and payment information.

Most importantly, consider using a password manager.