Are long passphrases the answer to password problems?

Passphrases can be more secure than passwords, but there are limitations and hackers will eventually master cracking them.

NIST’s relatively new password recommendations, which includes not using long and complex passwords that are frequently changed, are turning the computer security world on its head. Many security practitioners simply refuse to believe the new advice.

I get it.

The new advice overturns decades of previous advice, from the same organization that that told us to trust the last 180-degree different advice, no less.

But times change. Hacking methods change. What used to stop the day’s most popular attacks no longer works quite as well. It should be expected that attackers moved on to other, more successful methods once passwords started to get harder to crack. Or are they?

Kevin Mitnick, chief hacking officer for KnowBe4, Inc. (my full-time employer) kills that supposed fact with his latest video. In it, he cracks a 17-character, complex password in 31 seconds. Because of this, Mitnick recommends using simple, long passphrases (also known as “PassSentences”) 25 characters or more, something like, “I like to go to the beach to get wet.” Kevin also recommends using a good password manager to manage your passphrases.

To continue reading this article register now

The 10 most powerful cybersecurity companies