Four Reasons Why Passphrases Are Better Than Passwords
September 03, 2019
By EisnerAmper’s Information Security Cabinet
As of 2019, it is estimated that business computer users maintain an average of nearly 200 personal and professional accounts that require an individual login. At the same time, more than 80% of data breaches are traced back to exploited or cracked authentication. Security experts have surmised that as an individual has more accounts requiring passwords, he or she will use simpler or more repetitive passwords that are easier to remember. In order to prevent against a data breach, biometrics and password managers, such as LastPass, are recommended. Where passwords are necessary, a preferred alternative to traditional passwords is “passphrases.”
Unlike passwords, which are usually only one word with numbers and special characters mixed in, a passphrase is often a sentence or phrase such as "Makemyorder2go." Testing has shown that an authentication entry with more characters is less likely to be cracked than a shorter one. Passphrases are better than passwords because:
- Passphrases are easier to remember. It’s easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
- Longer passphrases are more difficult to guess or crack. Passphrases are far less likely to be cracked using modern equipment. Recent testing on a supercomputer simulating a botnet showed that a standard eight-character password could be cracked within eight minutes. For a 12-character entry of the same complexity, the projected completion time increased to nearly 30 years.
- Passphrases easily satisfy most login complexity requirements, mainly through using punctuation, upper and lower cases, and replacing letters with numbers (e.g., 3 instead of E; 5 instead of S).
- All major operating systems—including Windows, Linux and Mac—allow passphrases of up to 127 characters long. This grants you the freedom to enter a full sentence that would be easy for you to remember and nearly impossible for an attacker to guess.
Beware of Email Ploys with Links to Microsoft OneDrive Accounts
Cybersecurity experts report that 2019 has seen a 60% increase in the use of Microsoft OneDrive cloud storage accounts to host malicious files. Attackers often take advantage of Microsoft’s status as a trusted domain to relay links to viruses. This tactic allows the malicious content to avoid being scanned by the recipient’s security controls.
If you receive an unsolicited/unexpected message with an MS OneDrive download link from an unknown sender, do not open it. If it appears to be from someone whom you know, it may be fictitious even if the email address looks legitimate. Call or send a new email to the presumed sender using previously established contact information (avoid replying to the original email in case it is fictitious) and confirm he/she had sent it.
The Capital One Data Breach and How to Protect Your Data
On July 29, it was reported that a Seattle software engineer hacked into a server for Capital One and stole personally identifiable information from more than 100 million customers. Included in the exposed data were 140,000 Social Security numbers, 80,000 bank account numbers, and millions of credit card applications submitted between 2005 and 2019.
If you maintain a checking, savings, credit card or other financial account with Capital One, it is recommended to take the following precautionary measures to protect your personal information and funds:
- Contact the bank and request your payment card numbers (credit and/or debit) be changed. If you have automatic payments routed through these cards, Capital One should be able to assist in making sure the next scheduled payments are not interrupted.
- Check for suspicious activity on your credit or debit cards. As stated in previous bulletins, the bank is more likely to credit back a fraudulent charge if it is reported immediately (three to four days).
- Initiate a credit freeze. One of the first actions criminals take with stolen credit card applications is to open fraudulent lines of credit in the victim’s name. If you applied for a Capital One credit card as early as 2005, it would be advisable to contact one of the three credit bureaus (Equifax, Experian, or TransUnion) and establish a hold where no new lines of credit can be opened without authorization.
- Review identity theft protection services. If you believe you are at risk from this, or any other breach resulting in your identity being stolen, the Federal Trade Commission offers free information on verified monitoring and recovery services. Click here for more information.