The Anatomy of Passwords     

          Passwords are all around us these days. From the accounts we log into our computers with to the Amazon accounts we order dog food from, there’s no shortage of passwords that we are supposed to keep tabs on. The problem is, for the last decade or so that we’ve been creating these passwords, a lot of us have been misinformed about the right way to go about it or have been practicing bad hygiene. There’s no reason to feel bad either; passwords can feel robotic, and it’s only been in the last couple years that we’ve been given recommendations on how to really make them. Using the password “Your password is terrible”, we can learn how to best craft our new passwords that makes it easier on us and harder on attackers.

          For most people, the common answer to “How do you make a secure password?” is to have a word followed by some numbers or maybe special characters. Something along the lines of “Gary175!” would fit the bill. The idea is that by having a word followed with those numbers or characters, the password will be harder to crack. However, computers don’t think the same way we do; even though a “#” may seem more complicated than an “a” to us, a computer sees them as a different but equal unicode item that is not nearly as confusing to crack. Combine this with the misconception that passwords need to be rotated as often as every other month, and you have a recipe to have passwords that turn into “Gary175!@#$%^” over the course of a year. Even though the year-long additions of shift + the-next-special-character-in-the-row may be harder for a computer to crack due to its length, a criminal will have no problem taking advantage of commonly found patterns like this to exploit passwords. Criminals even have large repositories of compromised passwords they can pull on as a starting point, and if they recognize a pattern such as this in a password old or new, it only takes a handful of attempts to make their way to your latest “version”.

Why "Passphrase" is the new "Password"

          If these are the wrong ways, what are the right ways then? The answer lies in transforming your pass-words into pass-phrases. Instead of making a single word and appending those special characters to it, take a phrase that is easy to remember. I like to work on cars in my free time, and an easy phrase for me is “Why is my car always broken?”. This is both easy for me to relate to and surpasses the complexity of special characters or numbers added to a word. From the computer’s perspective, a password of “Racecar8!” takes 3 weeks to crack, while my passphrase of “Why is my car always broken?” takes 5 decillion years. Once you have your passphrase down, it’s safe to assume it won’t be cracked anytime soon. This leaves us with an aspect that is commonly out of our control, which is how often they are required to be changed. Many employers require employees to change their passwords constantly, but this only compounds the problem mentioned earlier and ends up reducing security. If you tuned in to the last article on Zero Trust, you would know the best security isn’t always just prevention but instead detection. Passwords are better suited to be changed as needed, such as if they are suspected to be compromised, rather than on a set schedule.

          Thinking of how we see this type of ideology in the real world, think of your car key. The key in itself is complex, and extremely difficult to crack on modern cars. This only works because the complexity of the grooves surpasses the time a thief would need to imitate the design. A passphrase is similar, opting to use length and phrases that are hard to predict and lengthy enough to prevent being imitated easily. Car keys also don’t change, and the only reason they would be changed out is if it was suspected to be stolen, just like our passphrases.

‍