Passphrases Over Passwords
Following the recent release of the updated National Institute of Standards and Technology (NIST) guidelines, it’s the perfect time for managed services providers (MSPs) and customers alike to reflect on current security practices and how to improve them. After all, practicing strong, preventative password security is much easier than trying to recover accounts after a successful cyberattack.
For a simple way to maximize security, this article will discuss a topic that has preoccupied internet security experts of late—passphrases, and how they’re superior to passwords.
What Is a Passphrase?
At this point, you might be thinking—“password, passphrase…pass the potatoes, please.” But these two terms are starkly different, and amid the ceaseless expansion of internet security threats, it’s important to understand how.
Passwords are secret combinations of upper- and lowercase letters—with numbers and symbols interspersed to increase strength. Many sites set both a minimum and a maximum number of characters—usually six to eight as a minimum—and set limits on what type and how many of each type of character you can use (for instance, one or two symbols, and only exclamation or question marks). Spaces are rarely, if ever, permitted.
Passphrases, by contrast, are secret sets of words that often have a space between them. They also contain letters (often with numbers and symbols interspersed) but the letters tend to add up to words—and the words can even add up to a sentence. This means that passphrases are almost always longer than passwords. So, for instance, a preferred passphrase could be a series of words like: “The G1ants play on Saturday!” As you can see, we have letters, numbers, and symbols all combined in a sentence that should be easy to remember.
So What’s the Problem with Passwords?
Unlike passphrases, passwords have been used as a secure gateway for managing access to accounts for many years. The general assumption has always been that the longer and more complex the password, the greater the security. This may be true, but it also presents problems—for one, most sites set limits on how long and complex your password can be. More importantly, the longer and more complex your password is, the more difficult it is for you to remember it—which causes new security problems. (And don’t even think about saving it somewhere in your file structure or on your email account!)
All of us can relate to the scenario of forgetting a recently set, complex password and having to replace it with a new one. While this may seem like no big deal, the fact of the matter is when we replace complex passwords we’ve forgotten, we tend to revert to simpler ones that we’re more likely to remember. This opens the door to bad actors who seek to guess or crack passwords with brute force. For this reason, the latest password guidelines from NIST no longer recommend cyclical password changes. Instead, NIST recommends long and complex passwords or, ideally, passphrases that are easy to remember but difficult to guess or crack. The most recent NIST guidelines also recommend that you should only change these passphrases if you know the account has been compromised, this is because forcing users to change their passwords frequently encourages them to use weaker passwords to ensure they remember them.
What Makes Passphrases Better?
This gets us to what makes passphrases so much better than passwords. In short, passphrases are:
- Easier to create
- Easier to remember
- Harder to guess or crack with brute force (because they are long and complex)
- Easily adaptable to passcode rules
- Supported by major operating systems and applications
Given these benefits, you might wonder why passphrases are still so uncommon. The answer is twofold: one, users are accustomed to using passwords and change never comes easily; and two, often the companies administering our accounts haven’t adapted to changing security standards. In the meantime, users can adopt strong passphrases in ways their authentication systems allow and advocate changes to the rules toward sound password management.
Are Strong Passphrases Enough?
Passphrases are a dramatic improvement upon passwords—especially when they are strong (i.e., long, complex, and unique). Users can easily come up with strong passphrases on their own—though a random passphrase generator can go a long way toward improving security.
However, strong passphrases alone can’t fully secure your account from hacking, phishing, and other cyberattack attempts. For more tips on enhancing password security—from educating user to employing automation techniques—check out this blog, 10 Tips to Help Improve Password Security. On top of this, MSPs should consider adopting SolarWinds® Passportal, a comprehensive cloud-based password management platform. Features like granular access control and secure data storage empower your technicians to ensure your customers have the best password protection possible.
- NIST Cybersecurity Framework Overview
- Your MSP Needs a Password Manager
- Cybersecurity Tip #8: Observe Password Best Practices
SolarWinds® adds Passportal suite to its MSP product portfolio. MSP security, simplified. SolarWinds® Passportal + Documentation Manager is a SOC 2 certified, RAPID 7 tested, award winning platform.
Grow your business faster with the world's first unified platform for true password management and secure IT documentation. More than 2,000 best-in-class MSPs around the world are leveraging our security, automation, and rapid access client knowledge to out preform the competition.