Are Passwords Dead?
In 2021, CompTIA (the Computing Technology Industry Association) recommended transitioning away from passwords and starting to use passphrases.
Auto-generated passwords are standard in almost every business and organization these days, so this recommendation was surprising. As we started to implement this into our business we couldn’t help but wonder – are passwords dead?
As hackers became more able, the process of creating passwords became very complex. Previous recommendations, such as the length of passwords and frequent password renewals inadvertently created a hacking library.
There is also the human aspect. As passwords got more complicated, it became almost impossible to remember random letters, numbers, and special character combinations. This lead to people relying on notes, password vaults, or straight-up simple repeated combinations such as AaBBc123!@!#. This creates multiple problems.
- Notes are subject to social engineerings such as eavesdropping or outright theft.
- Password vaults create a target for hackers. Also, most password vaults are synched across devices. A lost cell phone could create a security breach that could stretch across multiple platforms. Some storage vaults use autofill, meaning once a device is breached, multiple systems can be accessed without further input from the attacker. Google Password Manager is an example of this.
- Simple passwords are easily guessed, or worse, commonly found in hacking scripts such as John Doe which use password directories. These tools utilize brute force to try millions of passwords in hours. There are tools in the IT toolbox to combat this, but many site and network owners want to simplify and ease their user's access, so a wide berth is given to login attempts prior to lockout and restore times. An example of this is, by default, Microsoft 365 allows 10 failed login attempts before locking the user out for 60 seconds. Subsequent lockouts increase in time. A proficient hacker will breach this in 48 hours with readily available tools.
To give you an example, the Manitoba Institute of Trades and Technologies employs white hat hackers as part of their staff. These individuals teach the security portion of their programs. In one of their classes, they attempted to breach a basic home Microsoft 365 account that had an auto-generated password meeting minimum system requirements. The account was breached in less than six hours by utilizing online tools and password dictionaries.
Afterward, they tried the same experiment with a passphrase instead of a password. Again, they used a basic home Microsoft 365 account. Using a passphrase, it took the hackers a month to breach the account. Most attackers do not have the time or resources to spend a month on a single account and would have moved on to easier, higher-value targets.
So, what is a passphrase and why does it work?
A passphrase is similar to a password but uses the characters available in a more effective way. An example would be H3lp Find D0g!. This passphrase utilizes 14 characters of the 16 available on a Microsoft 365 account. The phrase is easy to remember and does not require a password vault. This immediately creates an additional level of security as there is no risk of it being found in a vault.
To take this simple passphrase to the next level, you would begin by reorganizing the words in a nonsensical order. For example: D0g! H3lp Find. Again, easy to remember. If we include quotation marks, we reach the maximum characters count. When spaces can’t be used, underscores work as well.
In organizations where passwords are changed on a regular schedule, this phrase could easily be changed yet retained within its foundation. Most organizations won’t allow a password to be reused more the once every ten changes. Let’s count how many times we can use this passphrase.
- H3lp Find D0g!
- D0g! H3lp Find
- D0g ! helpfind
- H3lp D0g Find!
- Find d0g! H3lp
- FindD0G !h3lp
- D0g h3lp! Find
- H3lp! Find D0g
- H3lpD0g !Find
- H3lp D0gFind!
We stopped at ten. Add the quotation marks, and you're easily at twenty. Change the “3” in H3lp to an “e” and the combination grows exponentially while remaining memorable.
Are passwords dead?
Absolutely not! When creating a temporary login or creating a new account for someone, password generators are still the best way. Auto-generated passwords are also great for sharing a document requiring security such as One Drive or Google Drive, an Excel spreadsheet, or a pdf. Shared access is common in IT administration. If you are looking for a password generator, ask us about Last Pass For Business.
If you find passwords confusing and want help creating a cybersecurity plan for your organization, contact us today. One of our IT Specialists will help you design a plan that fits your needs.