Year after year, passwords like “123456”, “qwerty” and even “password” are found to be the most popular choices and 2021 was no exception.  Even when we graduate from these absurdly simplistic passwords, their replacements are often no better, with Game of Thrones star Diana Rigg famously saying to have used “F*** off” as her password.

These reports generally come with the same advice to users: create better passwords to protect your security online. Whilst there is undoubtedly an element of truth to this, it’s also time to realise that years of promoting this message has had little or no effect.

Encouraging better cyber hygiene

If you’re responsible for running a website or a service that will accept the likes of “123456”, “qwerty” or “password”, it’s time to rethink your system. If you let users get away with bad choices, they will believe that they are acceptable and continue this bad practice.

On the contrary, by implementing stronger protocols, you can help to address the problem at its source. Websites should have processes in place to filter out poor passwords – a “blacklist” of common choices.

At the moment, it’s too easy for website owners to pass the buck onto users while at the same time readily accepting the likes of “password” as someone’s entry into their system.

Nonetheless, we have successive generations of users who are not told what a good password looks like, nor prevented from making lazy choices. It’s not hard to find examples of websites that will accept the very worst passwords without complaint. It’s similarly easy to find sites that require users to create passwords – yet give them no guidance in doing so. Or sites that will offer feedback that a user’s password choice is weak but allow it anyway.

Smarter choices

Many websites may believe they’re doing this, with common practice advising users to select passwords containing a mixture of upper and lower case letters, punctuation symbols, and numbers, for instance, yet advice from organizations such as the Australian Cyber Security Centre (ASCS) suggests these kinds of prompts should no longer be used as they aren’t as secure as we think they are.

The ACSC says multi-factor authentication – a combination of something that you know, something that you have or something that you are (MFA) is one of the most effective ways to protect yourself. However, in cases where MFA is not available, a strong passphrase can often be the only barrier between adversaries and your valuable information and accounts.

Passwords are passE – passphrases are longer and stronger

Passwords are passé. It’s time to use passphrases instead. As we have increased our reliance on passwords, adversaries have developed increasingly sophisticated ways to crack them. In attempting to make passwords stronger, we have made them harder for humans to remember, and easier for machines to crack. Hence, the need for passphrases that are easy for humans to remember, and harder for machines to crack.

Principles for strong passphrases

Whene  ver you can, use a passphrase instead of a password. Passphrases are most effective when they are long, unpredictable and unique.

The longer your passphrase, the better. Aim to make your passphrases four or more random words, of at least 14 characters in total, whenever you can. For example, ‘red house sky train’, ‘sleep free hard idea’ or ‘crystal onion clay pretzel‘.

The less predictable your passphrase, the better. A passphrase in the form of a lyric, quote or sentence, like ‘I don’t like pineapple on pizza.’, uses spaces and punctuation, which adds complexity. However, a sentence could also be predictable, because the language you use will have grammar and punctuation rules to follow. In English sentences, for example, it is predictable to have spaces between words, a capital letter at the beginning and a single character of punctuation at the end, like a full stop. Sentences can also be predictable in the placement of nouns, adjectives, verbs and so on.

Using a random mix of unrelated words is far more unpredictable, and will produce a stronger passphrase. There are many ways to create a mix of random words. There are tools available on the internet that can help, or you could open to random pages in a dictionary or another book to select unrelated words.

Create unique passphrases

Use a unique passphrase for every valuable account. Reusing a passphrase makes each account that uses it more vulnerable. This is particularly important for valuable accounts like email, financial accounts and those that store banking details. Often email addresses are reused as usernames to log into multiple accounts, and the accounts are often used to store valuable personal information, making your email account a valuable resource. If adversaries have cracked your passphrase, they will attempt to use it for every account they find that is associated with you, and even change your passphrase so that you can’t regain access to your accounts.

One way that you can reduce the burden of having unique passphrases for every valuable account is to use modifiers for each one based on the service that it relates to. For example, ‘crystal onion clay pretzel facebook’ or ‘insta crystal onion clay pretzel’.

Security matters

While it’s very tempting to think that users are only putting themselves at risk by deploying poor cyber hygiene and that any attempts to change that is excessively paternalistic, this line of thinking is muddled, not least in an era that requires organisations to protect users’ personal data as robustly as possible.

While there is undoubtedly a move towards more passwordless authentication systems, the humble password is unlikely to go anywhere anytime soon. Indeed, the death of passwords has been an almost annual prediction for over a decade now, yet it still remains the bedrock of our digital security. As such, we have a collective responsibility to help ensure that we get the basics of digital hygiene right rather than passing the blame onto users.