Passphrases secure, but hard to remember: Should they be your password policy?

Cybercriminals who are out to steal your company’s money are getting smarter. Even a password that uses a capital letter, at least one number and a special character can be cracked by hackers because people tend to use the same 32 keyboard characters.

One school of thought on better password security is using simple, long passphrases that are 25 characters or more, such as “I like to go to the beach to get wet.”

But while that might make it more difficult for crooks, it increases the risk that people will reuse the same passphrase across different sites, setting up the possibility of a larger scale attack.

Also, many sites truncate a passphrase because the maximum character length they’ll accept is less than 25.

Passphrase alternatives to try

For a better approach to security, ask IT’s opinion on using passwords that:

1. are four random common words that can be remembered in a humorous mental picture, such as “horse battery staple correct”
2. use “leetspeak” letter substitutions in words: one instead of lowercase L, zero for the letter O, the dollar sign instead of S, three in place of E and the “at” symbol replacing A. So the passphrase in the previous example would look like “h0r$3 b@tt3ry $t@pl3 c0rr3ct,” or
3. have a word intentionally misspelled to throw hackers off.

Managing login credentials with a password manager that creates and remembers unique, long, random passwords for each security domain can also be valuable. Examples include 1Password, LastPass and KeePass (which is free).

In addition, using multi-factor authentication wherever possible, especially when using cloud-based apps or sites, is sound cybersecurity strategy.

Evaluating your authentication needs

Because anyone with a developer license can make a multi-factor authentication app, there are a lot of them out there.

If you haven’t yet chosen one for your organization, when you’re researching, get IT’s feedback on an app’s:

• Platform compatibility: Do you need it to work on both Android and iOS, or both Windows and Mac?
• Usability: How easy is it to add new accounts, find existing accounts and delete unneeded accounts?
• Ease of account recovery: Does it offer multiple ways to recover an account (e.g., support line, device backup, etc.)?
• App security: Do you want another layer of security, such as a PIN or biometric locks like face ID or a fingerprint scan?