Identity And Access Management
September 30, 2021
Are passphrases more secure than passwords?
The simple answer is yes, but let’s go into a little detail in this blog post and give you a full understanding of why it’s important to think more carefully about the way we use passwords.
Since the pandemic began, cyberattacks have skyrockets, causing record numbers of breaches and a much-increased level of uncertainty among both the general public, businesses, and IT and security professionals.
As an example of this, more data records were compromised in the first half of 2020 than any other total year combined.
Cybercriminals have been taking advantage of people’s fears and anxieties about the pandemic—and finding success more than ever.
You can use every solution in the world, and it still won’t matter if someone clicks enough times on the wrong kind of link.
The unfortunate reality is that human error plays a critical role in successful cyberattacks.
When cybercriminals perform attacks, they often send out thousands (often millions) of spam messages in an attempt to fool someone into following a malicious link.
All it takes for them to succeed is for one person to fall for their scam, which happens on an all-too regular basis.
Once something malicious has been clicked or downloaded, the hacker has any number of ways to breach that end user’s device—including tactics installing a keylogger to determine their password.
They can then access sensitive personal or business data by logging in at will and stealing information.
This is a common way organizations are breached and continues to be a major problem today.
But it’s not as simple as the employee being at fault.
For example; if their password is stolen, an organization that has implemented multifactor authentication (MFA) will find that the hacker—even with a password—can’t do anything with it, and so the breach is prevented.
In this way, it’s crucial not to play a blame game, but rather to do everything possible to give employees the best chance of not falling victim to attack—MFA is a common way of doing this
Now to the question of are passphrases more secure than passwords?
Absolutely. Passphrases, a combination of several words to form one password, are far more complex and impenetrable than a simple password.
A not substantial number of data breaches occur primarily because of a simply lack of strong passwords—often because the company policy doesn’t enforce strong credentials.
A passphrase, as we noted, has several words combined to make up a single password.
They are longer than typical passwords and because of this are far more complex and difficult to crack.
Passphrases are usually something the end user can easily remember, even if the words themselves make little sense.
It’s recommended when creating a passphrase not to use a common phrase. “mydogiscalledharry” would be an example of a poor passphrase—it may be determined from knowing the user and forms a complete sentence.
A better example would be a number of words that bear no relation to each other, but that the user is capable of remembering easily. An example of this would be something like “socrateslifestylecookiegrandson”.
It might seem like a bad idea to use random words for your passphrase, but in actual fact these types of passwords are far more secure than a simple word with a number or punctuation mark after it.
Simple passwords are not as secure today as they once were, and yet many people still do so, despite the risks of being breached.
91% of respondents understand the risks of using the same password across multiple accounts , but 59% do it anyway.
Nearly two-thirds of people use the same password for their accounts, most of which contain extremely sensitive data which is valuable to cybercriminals.
Simply adopting newer techniques like passphrases instead of one-word passwords is an easy way of heading off potential attacks.
When cybercriminals look to hack someone’s account, they don’t sit there typing in different combinations of a password, they get a computer algorithm to do it for them.
The algorithm will test tens of millions of combinations again and again until eventually the password is cracked.
The simpler the password, the quicker this process is.
This is referred to as a brute-force attack and is very common today.
With brute-force hacking, what determines the success or failure of a password is its length, rather than the variety of the characters used.
What Hive’s chart shows is that passphrases are considerably more effective at protecting users than passwords.
Take a seven-word password that includes uppercase letters, lowercase letters, numbers, and punctuation. This can be cracked in about six minutes using the brute-force method of attack, despite containing such a variety of characters.
Compare this to a passphrase consisting of only lowercase letters—no upper case, no numbers, nothing else. The only difference is that it has double the number of character, this time at 14 instead of seven—this would take 51 years to hack with brute-force.
Six minutes versus 51 years! The power of passphrases!
Finally, we have the FBI’s recommendation on the use of passphrases for businesses.
The FBI launched a project called Protective Voices, the intention of which was to provide cybersecurity recommendations to political campaigns operating in the US.
The project called for passphrases and multifactor authentication to be used in order to best ensure that sensitive data was protected effectively.
In a video from their Protected Voices initiative, which seeks to provide cybersecurity recommendations to political campaigns across various functions, passphrases were strongly advised to improve their security and protect data.
Guidance from the National Institute of Standards and Technology, or NIST, advises that password length is much more beneficial than complexity. – FBI, Protected Voices: Passphrases and Multifactor Authentication
Cyberattacks have been increasing in volume and sophistication during the course of 2020 and 2021.
Because of this, many passwords and habits employed by end users today are not fit for purpose, and therefore more secure passphrases are strongly advised in order to lessen the chances that they are hacked.
As far as businesses are concerned, they should strongly consider implementing MFA and passphrase policies for their staff to give cybercriminals the smallest chance of success possible.