Statistically, most of our passwords are insecure. As humans, we want to minimize the amount of effort needed to access our accounts, so we tend to create passwords that are easy for us to memorize. CWRU will be implementing a passphrase roll-out in the coming months to support stronger security.
Passwords that are easy to memorize are often easy for attackers to guess. Instead of using a simple password like passw0rd, people often turn to using personal information that they already know, like a pet name, important date, or other information they have already memorized. This means the effort to memorize new information is minimal, since they already know that information.
Even personal information in passwords is insecure. Anyone can gather information about you from social media networks: first name, last name, maiden name, birth date, pet names, nicknames, etc. Social media networks contain a large amount of personal information that attackers know is linked to your identity, and they can use these to guess your password.
What's the next step? If a password is too difficult to memorize, you run the risk of forgetting it and being locked out of your account; however, if a password is too easy to guess, almost anyone can guess it to break in. Using an insecure or obvious password is like taping your house key next to your front door, in plain sight.
This is the recurring problem with passwords. To solve this, we have a simple resolution: Passphrases.
A passphrase is composed of multiple words, as opposed to a password, which is frequently only a single word. A simple passphrase can be easier to remember than a complex password, while also remaining more secure because of the increased amount of characters within it.
As the XKCD comic above illustrates, using a passphrase allows us to create authentication credentials that are both easy to remember and difficult to guess.
Using passphrases instead of passwords will improve our security, but not every passphrase will still be fully secure. A few guidelines for strong passphrases are below:
- Passphrase should be long enough to be difficult to guess
- Unique to you
- Cannot contain your name or network ID
- Hard to guess by intuition, even by someone who knows the user well
- Easy to remember and type accurately
- Must not be reused between sites, applications, systems, and other different sources
Finally, use of Multi-Factor Authentication is highly recommended, when it's an option.
More information about passphrases can be found from NIST:
https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rd