[Reading Time – 1 Minute 44 Seconds]
When I speak to users about passwords I will give my three password principles towards the end.
Any password that is easy to remember is a weak password. This is tongue-in-cheek but it is to remind everyone long passwords are more important that complex passwords and that our brains simply can’t remember long passwords.
A weak password is one that is repeatedly used. Stolen password digests are regularly cracked and posted online for attackers to use as a starting point to crack new passwords. One website boasts that it has more than 1.6 billion cracked passwords available for download. Because users often use the same password on multiple sites, attackers routinely use these stolen login passwords to determine if the password they are trying crack has been cracked before. It is very common.
For password management, technology must be used instead of our brain. Because attackers use technology for cracking passwords, technology must also be used to protect them. To store and retrieve your passwords, you can use a password manager.
Invariably, however, after I’ve finished speaking, someone will approach me and tell me that they use long passphrases as a password. These are simple to remember, so they don’t need to use a password manager. These passphrases are often the words to their favorite song, or a famous line from an old book or poem.
Is it safer to use a passphrase than a password?
Here’s why.
Passphrases are a common target for hackers. They can now use stolen passwords to check if your password matches, and they also use large repositories full of known titles and phrases to quickly find a match to crack your password. What are some of these repositories, you ask? Here’s a small selection:
15,000 Useful phrases
Movie titles and famous movie lines
Song lyrics
Titles from more than 300,000 books
Titles of Wikipedia articles
These are words from the 2016 US presidential debates
250,000 women’s names
So, if you use a passphrase that includes music lyrics (“If_we_weren’t_all_crazy_we_would_go_insane”), movie lines (“May_the_Force_be_with_you”), or words from a famous saying (“Abandon_all_hope_ye_who_enter_here”) then your passphrase can easily be broken.
Passwords should be unique and long. Use the built-in password generator of the password manager to create long, complex passwords that are unique for each account.
Anything less will make it impossible to crack your password. It will.