We seem to be forever hearing about various cyber breaches these days, millions of email addresses dumped here, thousands of individuals’ personal information compromised there, the list goes on.
Yet, despite the apparent sophistication of many cyber attacks reported by the media, a significant number of these occur for a very simple reason – weak user passwords. We are constantly told to choose a ‘secure’ password and can be given a (somewhat extensive) list of requirements. The problem with this approach? Although these are generally more secure than the likes of ‘password’, ‘Titanic’ or even ‘Titanic12’, we simply can’t remember them.
As awareness around this area of cyber security increases, people do seem to be generally becoming more conscious of the importance of choosing stronger passwords. However, one aspect that causes a lot of confusion is that people are given different advice by different people. Consumers and businesses are left wondering who to believe and what in fact is the best approach to choosing passwords that are both complex and memorable? What does constitute a ‘secure’ password?
Password vs passphrase
A passphrase is a short sentence consisting of multiple words. By creating short sentences, people are not forced into having to remember lower-case here, upper-case there, substituted letters for numbers etc. By creating a passphrase, you’re creating a token for keeping your sensitive information secure (at least to a point) that ticks two of the boxes for an ideal password – length and memorability. The additional length makes it exponentially more complex, and therefore vastly more time-consuming for a hacker to access the plaintext value and use it for malicious purposes.
However, as effective as this is, it’s not completely fool proof for two reasons: phrases or sentences still have to be remembered, and not all websites and apps support them. I’ve found it rather surprising that many websites I’ve penetration tested don’t allow spaces in passwords. In these cases, I’ve simply used hyphens or underscores as a substitute, which, although not recommended, is an improvement over simple passwords.