skip to Main Content

The Best Password Is a Passphrase

Experts say security incidents may evolve from year to year, but one thing has remained the same: Compromised passwords are still a leading contributor to successful attacks.

According to the 2019 Verizon Data Breach Investigations Report, 80 percent of data breaches were caused by weak or compromised passwords.

When you use a weak password, you open the door for criminals to steal your money or sensitive data.

Brian Krebs, author of a daily blog, KrebsOnSecurity.com (covering computer security and cybercrime), says controlling the quality of the passwords you pick can minimize the threat. According to Krebs:

Do not re-use passwords. And don’t recycle them either. Recycling involves rather lame attempts to make a reused password unique by simply adding a digit or changing the capitalization of certain characters. Crooks that specialize in password attacks are wise to this approach as well.

If you have trouble remembering complex passwords (and this describes most people), consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker.

In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember.

Passphrase creation
Here are 3 steps to take for setting up a passphrase:

  1. Make your passphrase a sentence: A strong passphrase is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
  2. Unique account, unique passphrase: Having separate passphrases for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passphrases.
  3. Write it down and keep it safe: Everyone can forget a passphrase. Keep a list that’s stored in a safe, secure place away from your computer. You can alternatively use a service like a passphrase manager to keep track of your passphrase.

Other ways to secure an account
Typing a username and passphrase to access a website isn’t the only way to identify yourself on the web services you use.

Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passphrases are not enough to protect key accounts like e-mail, banking and social media.

Tower’s Home Banking login uses multifactor authentication (MFA). When you login to Home Banking, MFA identifies you as the true owner of your account by recognizing not only your password, but also recognizing any computer that you login from regularly. If your computer is not recognized, you will be asked to authenticate your identity by entering a one-time pass code that will be received by an automated phone call or text. Our mobile app uses encrypted technology. If fraud does occur, it’s hard to get better than zero liability—and that’s what you have with Tower’s debit and credit cards. You are not responsible for fraudulent transactions on your account. Check your accounts often and immediately notify us if you notice any errors.

Over time, more websites will be adopting strong authentication. In some cases, the services may be available but are not required.

Many e-mail and social media services offer strong authentication on an opt-in basis. Ask your online service providers if they offer strong authentication or additional ways to verify your identity.

Resources: Verizon, KrebsOnSecurity.com, NCSAM