I’ll have no sympathy for the passphrase-cracker
Another caveat is that it’s better to refrain from phrases that have made it into the everyday lexicon. Entire books, famous quotes, or lyrics – sing, ‘Pleased to meet me, hope you guess my name’ as a bit of an extreme example that is not to be taken literally – already tend to be part of the fodder of password-cracking tools. The individual words should be in random order and, ideally, sprinkled with special characters and character substitution, all the while retaining a hidden meaning and memorability to its creator.
Then, of course, there is need for each passphrase to be distinct for each account, so that a leak of one of your passphrases doesn’t reverberate through your other and possibly more valuable accounts. Alas, the dangerous practice of password recycling is ubiquitous, and attackers can exploit it hands-down with an automated technique known as ‘credential stuffing’.
It’s quite likely that you use too many online accounts to remember a distinct passphrase for each of them. In which case, it’s worth considering a reputable vault/manager that encrypts your password storage and takes away much of the pain that password management involves. Of course, such a tool can also generate randomised and complex passwords and passphrases for you.
While then you should need to remember only one master password that, ultimately, opens all your online accounts, the pressure will be on the sturdiness and uniqueness, of this one key to your digital kingdom – so it’s back to the suggestions above.
I won’t skip the second step
Another trouble with passwords/passphrases may arise when they are not only the first, but the only line of defence for your account security. When the barrier crumbles – commonly through a phishing attack or by attackers somehow working out your login details – an extra authentication factor that does not rely on ‘something you know’ may very well foil your adversaries.
Two-factor authentication (2FA), or multi-factor authentication (MFA), is an excellent way of boosting the security of your accounts, especially when coupled with hardware keys or dedicated apps, and less so with SMS-borne 2FA. Although many online services provide 2FA options, few require its use. However, the adoption of 2FA has been on the rise and it’s never been easier to jump on the practice. Regardless, if its implementation, signing up for 2FA whenever you can is well worth the little extra effort, as it can help in various scenarios, including when you never fell prey to a cyberattack compromising any of your passwords.
In fact, it’s quite probable that some of your authentication details will be, or have already been, stolen and posted online or made available for sale on underground marketplaces. The source of these password leaks includes the many security breaches that have blighted online services, retailers, hotel chains and the like. Additionally, the targeted entity may have protected the user’s passwords with weak hashing and salting functions, or even stored the passwords in plain text. Worse still, the service provider, let alone you, may not know until quite a while later that hackers pilfered the often poorly secured data, or purchased them on the dark web, so you had no shot at taking any ad-hoc defensive measures. Again, this is also where the extra authentication factor will usually thwart any account-takeover attempts.
Click here to find out about preventative measures to keep your data safe, and how biometrics are coming to web browsers.