New Best Practice: Out with the Password, In with the Passphrase

June 11, 2012 • Published Categories Archive, Best Practices Tags , , , , , , , ,

The recent news of security breaches among major social networking sites reignites the ongoing dilemma of the password. As humans, we have the natural tendency to simplify its content and use. Unfortunately, hackers and data thieves know this and use it to their advantage. Perhaps most unfortunate, however, is the “institution” of the password itself, because it has programmed us to think about secure access in a patterned way that is ultimately detrimental to society from both an individual and an organizational perspective.

A Fundamental Change

It’s time for a fundamental change in the way our society views and implements login credentials. While the password was a good place to start, it has outlived its utility. The traditional password—a single word, as the nomenclature implies—is no longer viable, even with added symbols, intermittent upper/lowercase letters and numbers substituted for letters. Hackers and the tools they employ know all of the current conventions for creating a “strong” yet memorable password. In other words, if you’re using a password, they’re onto you.

Like the password, the passphrase is a credential for accessing secure information, applications and networks. The passphrase, however, is a series of words and characters strung together to form a lengthy phrase that is more likely to be unique to you. Because of its length and added complexity, the passphrase is a harder nut for the hacker to crack. And, because the passphrase could be made up of an infinite number and order of words, numerals and symbols, the concept in itself promises to be a more effective long-term solution.

Changing the Common Denominator

If hackers know the way to breach our individual accounts by exploiting today’s password conventions, how much more damage can they do to a business network utilizing those same conventions?

Organizations are made up of people and by default, the security practices a person employs in his or her personal computing activities are the same practices they employ in the workplace. As individuals, we must recognize the need to re-think the way we view and implement passwords. The best way to shift the current paradigm is to think in terms of secure phrases rather than words.

Recognizing the issue at hand (that hackers know how to exploit the current password system) is a critical first step to individual and organizational awareness. From an organizational security standpoint, here is how this awareness will play out:

  • All employees utilize passphrases that are unique to the organizational environment (i.e., they never re-use personal passphrases in the workplace)
  • Employees who work across multiple company platforms that require authenticated entry utilize a different passphrase for each platform
  • Default passwords that come with newly established accounts and security applications (such as firewalls) are immediately changed to secure passphrases

We’ve seen the damage that data breaches can have on major organizations, but let’s not forget that small businesses are just as vulnerable. Even if you’re a sole proprietor, the best practices described above will positively impact the security of the information you work with. (Small business owners: check out “The Top 5 Security Best Practices for Small Merchants” here.)

Making Change Permanent

Most of us are asked for a “password” in a variety of locations in everyday life. Establishing a secure pattern for passphrases will help make them memorable. In addition, although passphrases are far superior to passwords in terms of information security, they should still be updated approximately every 90 days.Here is excellent information on how to establish an easy-to-use passphrase system that will meet your needs well into the future.

Passphrases are just one of many long-term ways to outsmart the bad guys. To learn about additional ways to simply and cost-effectively address the overall security of your business systems, or for specific information on how to comply with the PCI DSS, give us a call at 1-800-825-3301 x 2. We are happy to help.

Leave a Comment