Responsive Navbar Refined

The Age of the Password Is Over: Embracing the Passphrase Revolution

by William Downing | October 03, 2024

The Age of the Password Is Over: Embracing the Passphrase Revolution

In the recent months, the National Institute of Standards and Technology (NIST) — the leading authority on cybersecurity standards — has updated its password guidelines. This shift offers us a timely opportunity to reassess our passwords and ensure they are up to the task of protecting our vital information in an ever-evolving digital landscape.

What Were the Old Guidelines?

Traditionally, NIST focused heavily on password complexity, emphasizing entropy — a measure of randomness and unpredictability. Users were encouraged to create passwords with a mix of uppercase and lowercase letters, numbers, and special characters. Regular password changes were also recommended. This approach aimed to make passwords difficult to guess or crack through brute-force attacks, where every possible combination is tried until the correct one is found.

While this method served us well for many years, the cybersecurity landscape has dramatically changed. The rise of sophisticated algorithms and increased computational power has rendered many complex passwords vulnerable. Additionally, the old guidelines often led to user fatigue and poor password practices, such as reusing passwords or writing them down, due to their difficulty in remembering.

The NIST Logo

NIST Logo

What Has Changed?

NIST’s updated guidelines have shifted away from emphasizing complexity and frequent password changes. Instead, they now recommend focusing on password length and the use of passphrases. This change is driven by two main factors:

  • Advancements in Attack Methods: Cyber attackers now employ advanced techniques, including artificial intelligence and machine learning algorithms, to crack passwords more efficiently. These tools can quickly guess passwords that rely on common substitutions (like “P@ssw0rd”) or patterns, making traditional complex passwords less secure.
  • Human Factors: Studies have shown that most people can remember only a limited number of random characters — usually around seven. When forced to create complex passwords that exceed this limit, users often resort to insecure practices like reusing passwords across multiple sites or storing them insecurely.

Why Passphrases Over Passwords?

Passphrases are essentially longer passwords made up of a series of words or a sentence. The idea is that by increasing the length of the password, we exponentially increase the number of possible combinations, making it significantly harder for attackers to crack. Moreover, passphrases are easier for humans to remember but harder for machines to guess.

Let’s Look at an Example

Consider the following traditional password generated by an online tool:

SV-$1RZQ-ulK

This 12-character password has about 19,000,000,000,000,000,000,000 possible combinations (19 sextillion) (assuming 94 possible characters from the ASCII table). While this seems substantial, let’s compare it to a passphrase:

newpasswordtwoelectricboogaloo

This passphrase is 28 characters long. Assuming only lowercase letters (26 options) has 2,810,000,000,000,000,000,000,000,000,000,000,000 (2.81 decillion) possible combinations. That’s astronomically higher than the traditional password, making it far more secure against brute-force attacks. Plus, it’s easier to remember without the need for special characters or numbers.

The One Drawback to This Method

While passphrases enhance security against brute-force attacks, they may be more susceptible to social engineering if the phrases are easily guessable. If your passphrase is closely related to personal interests or information readily available on social media, an attacker could potentially guess it.

For example: If you’re an avid Marvel fan and frequently post about it online, a passphrase like “ilovecaptainamerica” would be ill-advised.

He's just curious

password meme

Tips for Crafting a Strong Passphrase

  • Make It Long: Aim for a passphrase that is at least 15 characters. NIST recommends that systems allow passwords up to 64 characters. The longer, the better.
  • Use Unrelated Words: Combine words that have no apparent connection. For example, “coffeebananaastronautsunshine.”
  • Incorporate Mnemonics: Use a sentence or a lyric from a song you know well but modify it uniquely. For example, “TwinkleTwinkleLittleStarHowIWonder” becomes a memorable yet strong passphrase.
  • Avoid Common Phrases and Personal Info: Steer clear of famous quotes, song lyrics, or anything that can be easily associated with you.
  • Consider Adding Complexity: While not necessary, adding numbers or special characters can increase security. For example, “CoffeeBanana#Astronaut123!”

Final Thoughts

The evolution of cyber threats necessitates a corresponding evolution in our security practices. The shift from complex, hard-to-remember passwords to longer, more secure passphrases is a step in the right direction. By embracing these new guidelines, we not only enhance our personal security but also contribute to a more secure digital environment overall.

Remember, the goal is to create a passphrase that is easy for you to remember but hard for others to guess. Take this opportunity to update your passwords and stay ahead in the ever-changing world of cybersecurity.