Stop using your passwords and make this one simple change for a more secure life
The Protected Voices initiative was launched by the FBI to help safeguard against online "foreign influence" operations along with cybersecurity threats. With input from the FBI itself, the Department of Homeland Security, and the Office of the Director of National Intelligence, it's a goldmine of essential guidance and advice on everything from social engineering through to incident response. While the information is geared toward political campaigns, the advice provided applies to a much wider audience. Adapted from that initiative is something known as the FBI Portland Tech Tuesday report, and the latest recommends an alternative to the passwords that most people use to protect everything from email to banking, phones to laptops. The FBI wants you to stop using passwords and do this one thing instead.
The security devil is in the password detail
The devil is, as always, in the detail. In this case, that detail is that complexity isn’t always best. The passwords that the FBI wants you to stop using are both simple and easy to remember ones, which are also easy to guess or break, and even more complex combinations of cases, numbers, and special characters that are much harder to remember. I'd hope that you aren't using one of the world's top 100 worst passwords, nor should you just be swiping right when it comes to password selection.
This is where the FBI advice comes in, and can be summed up by those two words: length and complexity. "Password length is much more important than password complexity," the FBI said,
adding that instead of using shorter and more complex passwords, you should "consider using a longer passphrase."
A passphrase as a better alternative to a complex password is not exactly a new security concept, but it remains a good one, and it's good to see both the National Institute of Standards and Technology (NIST) and the FBI recommending it.
Correct Horse Battery Staple
Most geeks will have come across the idea of length beating complexity, and passphrases trumping passwords, from the "Correct Horse Battery Staple" cartoon. If you've never seen this, do go and take a look. It explains better than any number of lengthy essays why such a passphrase is difficult to guess but easy to remember. And that's the point of the FBU advice: "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."
So, while G5e*cbCy74Tm$*SZthE7igp7L is certainly difficult for a would-be attacker to guess or break using brute-force attack methods, it's all but impossible to remember. However, "FantasticYellowBowledHair" is the same length but a lot less complex and so much easier to visualize and thus recall. Importantly, it's just as hard for criminals to crack. The trick is to use unrelated words that can be combined into something that you can visualize, rather than related words that might be guessable as a phrase. The FBI recommends using passphrases of at least 15 characters, but I'd suggest stretching that to 25 characters because, well, why not?
There's even a passphrase generator online that uses the XKCD method, with user parameter options such as word capitalization and separator options, that will throw random phrases at you to make the process even easier.
Why not just use a password manager?
You may well be wondering why bother with passphrases when a password manager application randomly generates suitably long and complex passwords that you never have to remember as it does all that for you? This is true, and it's what a lot of information security professionals from ethical hackers to CISOs of my acquaintance both use themselves and advise others so to do. However your password vault still needs to be secured by a master password, and that's where the passphrase advice comes back into play. You can make this hellishly long, but unforgettable, using a passphrase to get the best of both secure worlds. For additional heft, multiple layers of security are always a good thing. Adding extra user verification steps such as biometrics (a fingerprint) or tokens (hardware security keys or software authenticator app codes) into the mix will lock your accounts and services down even tighter.
I'm a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called 'Threats to the Internet.' In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at [email protected] if you have a story to reveal or research to share.