Last week I discussed the need to have all passwords minimally 12-18 characters to remain safe. While that is an absolute security requirement, we all know that our users are going to be pretty upset with this policy change. Also, these long gibberish passwords lend themselves to being cached in browsers (which you should be already blocking for all browsers) or worse - having the passwords written down and taped to the user's monitor.
However, passphrases are alternative ways to remember longer passwords. For instance, pick four random words that have no relationship:
correct horse battery staple
That password is almost unbreakable. It will take approximately 550 years to break at 1,000 guesses a second.
That password is easy to remember and much better than whatever 18-character semi-gibberish you are now required to type to be safe.
For the last 20 years, we have successfully trained users to use passwords that are extremely hard for our users to remember, but are extremely easy for computers to guess.
That has to change.
We have a problem in that we have known that passphrases are a better way to do passwords for a while now. However, auditors, granular password policies, and historical standards have criticized and/or prevented us from using these stronger, easier-to-remember passwords.
I believe this conflict can be simply resolved.
correct horse battery staple can become Correct horse battery staple2# and it magically meets those same standards while dramatically strengthening the user's password and is still rather easy to remember.
If you aren't preventing password caching in your browsers or need help revamping your password complexity policy, let us know.
-Scott Quimby, CISSP
P.S. The next CSI Cybersecurity Event is Wednesday, December 6th. Contact Lisa for details.