The National Institute of Standards and Technology recommends using longer passphrases instead of passwords for authentication purposes. Passphrases improve an organization’s security posture and reduce the risk of data breaches: they are more complex, easier to remember, and more resistant to cyber-attacks.
Passwords are out, and Passphrases are in!
NIST strongly recommends using passphrases instead of passwords for authentication purposes, as documented in Digital Identity Guidelines: Special Publication 800-63B.
Passwords have been widely used for years to authenticate users for access to various systems and applications. However, passwords are becoming less secure due to increased cyber-attacks, phishing, and other forms of social engineering. Attackers can obtain passwords through various means, such as brute force attacks, dictionary attacks, and keyloggers.
Passphrases, on the other hand, offer an improved level of security compared to passwords. A passphrase is a string of words or other text used as a password. Passphrases over several distinct and significant advantages:
Passphrases are longer and more complex than passwords.
Passphrases are typically longer than passwords and are made up of multiple words or phrases. They are more difficult to guess or crack than a simple password because of their length. Also, passphrases should include a mix of upper and lowercase letters, numbers, and symbols, making them even more complex. Passphrases do not need to be changed as often because they are long and complex.
Passphrases are easier to remember.
Passphrases are often easier to remember than passwords, as they can be based on a phrase or sentence that is familiar and unique to the user. This reduces the need for users to write down their password or use easily guessable passwords.
Passphrases are resistant to dictionary attacks.
A dictionary attack is a type of cyber-attack that uses a list of commonly used words or phrases to guess a password. Passphrases are less vulnerable to dictionary attacks because they are made up of multiple words or phrases, which are not likely to be listed together in a standard dictionary.
Passphrases can be just as easy to use as passwords.
NIST 800-63 recommends: “Password length has been found to be a primary factor in characterizing password strength. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords…Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules.” Therefore, complexity injected by the utilization of numbers and special characters have less favorable impact than simply enforcing length. This can be easily accomplished by using a line from a favorite poem or a favorite song.
How Can Sedara Help?
Take advantage of Sedara’s Cybersecurity Development Program (CDP)
- vCISO – provides executive-level leadership in cybersecurity, risk, strategic development, and program management to build, develop, and mature an organization’s cybersecurity program.
- Assessments – a comprehensive review of your existing cybersecurity environment to help you uncover Risks, Gaps, and Vulnerabilities that you may not be aware of.
- Penetration Test – Sedara’s Red team mimics real-world attacks on your network, applications, devices, and people to evaluate the hackability of your key systems and infrastructure – providing a real-world demonstration of your vulnerabilities and weaknesses.
Links to Further Reading
What is a vCISO – Whiteboard Series