Cyber Fact: Passphrases

According to statistics from SecurityIntelligence, “For small and midsized organizations (SMBs), 60% of employees use the exact same password for everything they access. Meanwhile, 63% of confirmed data breaches leverage a weak, default or stolen password.”

Passphrases vs. Passwords

A password is a string of characters used to verify the identity of a user during the authentication process. They can vary in length and can contain letters, numbers and special characters. On the other hand, a passphrase is a sequence of words, similar to a password in usage, but is generally longer without numbers or special characters for added security.An example of a password would be: Tr0ub4dor&3An example of a passphrase would be: correcthorsebatterystapleOregon State University writes, “Passphrases are more secure than passwords because they are generally longer, making them less vulnerable to attack. They also allow you to remember your credentials, even when they expire frequently. The idea of a passphrase is to use a statement, or motto, rather than a word peppered with odd characters and symbols, as the latter can be difficult to dedicate to memory.”

Recent password news

Back in 2003, the ‘password bible,’ 'NIST Special Publication 800-63. Appendix A' was written by Bill Burr, advising to change passwords often and include numbers and special characters. Now, in an interview with the Wall Street Journal, Burr admits that much of the advice in the book was incorrect and he ‘regrets’ his advice, as the passwords that follow these guidelines are actually easier to hack.DailyMail.com writes, “Rather than improving security, the combinations made computers less secure, since users would end up using the same password repeatedly, or writing them down on notes to remember... The reason changing a password frequently does not help is because when most people make minor tweaks such as replacing the number 1 with a number 2. These are called 'transformations' and hackers are very aware of them and build them into their scripts.”Experts are advising users to implement long passphrases, containing about four words instead of shorter ones with a mix of numbers and characters. Burr says, “Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”The concerns regarding password security have become more dire with each data breach.

Become a CISA Certified Professional

Enterprises demand IS audit professionals that possess the knowledge and expertise to help them identify critical issues and customize practices to support trust in and value from information systems. Showcase your audit experience and demonstrate that you are skilled at assessing vulnerabilities, reporting on compliance, and instituting controls within the enterprise by obtaining your CISA certification.Obtaining your CISA certification signifies that you possess competence in five domains including standards and practices, organization and management processes, integrity, confidentiality and availability, and software development, acquisition and maintenance.Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.