We seem to be forever hearing about various cyber breaches these days, millions of email addresses dumped here, thousands of individuals’ personal information compromised there, the list goes on.
Yet, despite the apparent sophistication of many cyber attacks reported by the media, a significant number of these occur for a very simple reason – weak user passwords. We are constantly told to choose a ‘secure’ password and can be given a (somewhat extensive) list of requirements. The problem with this approach? Although these are generally more secure than the likes of ‘password’, ‘Titanic’ or even ‘Titanic12’, we simply can’t remember them.
As awareness around this area of cyber security increases, people do seem to be generally becoming more conscious of the importance of choosing stronger passwords. However, one aspect that causes a lot of confusion is that people are given different advice by different people. Consumers and businesses are left wondering who to believe and what in fact is the best approach to choosing passwords that are both complex and memorable? What does constitute a ‘secure’ password?
Password vs passphrase
A passphrase is a short sentence consisting of multiple words. By creating short sentences, people are not forced into having to remember lower-case here, upper-case there, substituted letters for numbers etc. By creating a passphrase, you’re creating a token for keeping your sensitive information secure (at least to a point) that ticks two of the boxes for an ideal password – length and memorability. The additional length makes it exponentially more complex, and therefore vastly more time-consuming for a hacker to access the plaintext value and use it for malicious purposes.
However, as effective as this is, it’s not completely fool proof for two reasons: phrases or sentences still have to be remembered, and not all websites and apps support them. I’ve found it rather surprising that many websites I’ve penetration tested don’t allow spaces in passwords. In these cases, I’ve simply used hyphens or underscores as a substitute, which, although not recommended, is an improvement over simple passwords.
Even if websites and apps don’t support spaces for passphrases, and underscores or hyphens don’t work for you, then it is still perfectly acceptable to substitute another character in its place. You can even eliminate spaces completely, so long as your passphrase consists of several words. Essentially, multiple words make passwords far more difficult and time-consuming to crack by cyber-crooks.
Two-factor authentication
Many modern devices now have biometric authentication, such as fingerprint readers and facial recognition, so you don’t have to remember any words or phrases at all. However, since this technology isn’t available everywhere, we really have to make the best of what we have. For a quite a number of online services, especially the ‘big ones’ such as Google, Facebook, etc., two-factor authentication is now available.
This adds a further security token such as a unique number texted to your phone, which you then supply back to the service to prove you have access to that device. However, many people turned these functions off because it’s simply more convenient to log in without them. The thing to bear in mind here is that there is always a balance between security and convenience. So, where these options are available, do use them to better protect yourself.
Change up your passphrase
You should never use one passphrase for everything; if cyber attackers manage to retrieve details from one service, they will try the same credentials against many other services. Using different passphrases for each site or service ensures that a breach at one website won’t result in your account being compromised elsewhere.
The next time you find yourself having to choose a password for something, try creating a passphrase instead. Hopefully this will help prevent you being part of a cyber breach as a result of weak passwords.
