Passwords and Passphrases, Your Most Common Security Measure

The first and most common piece of security everyone is aware of and using is a password or hopefully a passphrase. Today I will outline the differences between the two along with some guidelines and suggestions. In part 2 of my coverage about passwords I will go into more detail about some things to look out for when creating and using passwords.

About passwords and passphrases

Passwords are short sequences of letters, numbers, and symbols that you enter to verify your identity to a system, which then allows you access to secure data or other resources.

Passphrases operate on the same principle as passwords, and are used in exactly the same way. However, they differ from traditional passwords in two aspects:

  • Passphrases are generally longer than passwords. While passwords can frequently be as short as six or even four characters, passphrases have larger minimum lengths and, in practice, typical passphrases might be 20 or 30 characters long or longer. This greater length provides more powerful security; it is far more difficult for a cracker to break a 25-character passphrase than an eight-character password.
  • The rules for valid passphrases differ from those for passwords. Systems that use shorter passwords often disallow actual words or names, which are notoriously insecure; instead, your password is usually an apparently random sequence of characters. The greater length of passphrases, by contrast, allows you to create an easily memorable phrase rather than a cryptic series of letters, numbers, and symbols.

What makes a password or passphrase strong?

A strong password:A strong passphrase:
  • Is at least eight characters long.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete word.
  • Is significantly different from previous passwords.
  • Is 20 to 30 characters long.
  • Is a series of words that create a phrase.
  • Does not contain common phrases found in literature or music.
  • Does not contain words found in the dictionary.
  • Does not contain your user name, real name, or company name.
  • Is significantly different from previous passwords or passphrases.

Strong passwords and passphrases contain characters from each of the following four categories:

Character categoryExamples
Uppercase lettersA, B, C
Lowercase lettersa, b, c
Numbers0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

A password or passphrase might meet all the criteria above and still be weak. For example, Hello2U! meets all the criteria for a strong password listed above, but is still weak because it contains a complete word. H3ll0 2 U! is a stronger alternative because it replaces some of the letters in the complete word with numbers and also includes spaces.

Help yourself remember your strong password or passphrase by following these tips:

  • Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son’s birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
  • Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son’s birthday is 12 December, 2004 could become Mi$un’s Brthd8iz 12124, which would make a good passphrase.
  • Relate your password or passphrase to a favorite hobby or sport. For example, I love to play badminton could becomeILuv2PlayB@dm1nt()n.

If you feel you must write down your password or passphrase to remember it, make sure you don’t label it as such, and keep it in a safe place.

Guidelines for keeping your passwords and passphrases secure

  • Consider using passphrase vaulting.
  • Do not write your username and password or passphrase in the same place.
  • Never share your password or passphrase with anyone.
  • Never send anyone your password or passphrase via email, even if the message requesting your password seems official. A request for a password or passphrase is very likely a phishing scam.
  • Change your password or passphrase at least every six months.
  • Do not use the same password or passphrase over multiple services or web sites.

Leave a Comment

Your email address will not be published. Required fields are marked *