#SPYHACK: Powerful Passphrase

Greetings Everyday Spy,

Welcome to your newest #SpyHACK!

The number one factor in our personal security is our own choices and actions.

After I left CIA, I worked on a Fortune 10 digital healthcare portal. A lady on the team with me was a stickler about online security and wanted every new user to create a ‘strong’ password.

Her suggested password requirements were:

  • No less than 12 characters
  • Capital and Lowercase letters
  • At least one special character
  • At least one number
  • Mandatory changes every 6 months

I hate creating new passwords… and I hate it even more when I’m forced to change my password on a regular basis.

I told the woman I was working with that if I was a new user looking at her password requirements, I’d do one of three things:

  1. Create a complicated password and forget it soon after
  2. Reuse a password from another profile
  3. Write down my password, store it on my internet browser, or save it to a password storage program

The problem was that each of those options led to the same result – poor personal data security.

The Average person has 90 unique online accounts requiring a password.

When passwords first started, they worked like your ATM banking PIN; 4-6 numbers that would grant you access to something. They were nothing more than a fancy combination lock. Since then, we’ve started to rely on passwords to do everything from confirm our identity to sign legal documents. In most professional environments, your login credentials make you accountable for everything that happens on your work computer!

Passwords have become a critical piece of our everyday life. They protect our computers, our cell phones, our health records more. But there is something about passwords that nobody wants to talk about…

100 passwords are STOLEN every SECOND of every DAY – totaling more than 8 million stolen passwords a day.

Every bad guy out there knows at least one thing about you; you use passwords. You use them for email, social media, shopping, banking, education, job hunting, and the list goes on. Hackers know what passwords look like, how they work, and where they are saved.

They know that you forget your passwords, you store your passwords online, you write them on sticky notes, you reuse them on multiple accounts. They know you use your children’s names, important dates, pet names, and places you’ve traveled to build your password.

They know because they use computer programs built for one purpose – cracking passwords.

And even though we understand that passwords keep us safe, none of us like to use them…

81% of people use the same password for multiple accounts; 61% use similar passwords for all accounts; 2% use the same password for every account they have.

Right now you feel either amazed or comforted. Amazed that so many people are compromising their security… or comforted that you aren’t the only one.

When you dig into the details you start to see exactly how we compromise our passwords:

  • 81% of data breaches are due to compromised passwords
  • 75% of people share their passwords with another person
  • 52% of people write their passwords down on paper
  • 22% of people rely on web-browsers or phones to remember their passwords
  • 13% of people register their passwords with an online password service

Whether you like passwords or not, there is something you need to know…

Your brain does not like passwords. The brain naturally seeks simplicity and consistency when making security related decisions.

Your brain hates complexity. The brain wants to associate topics together, create logical connections, and make things easy to remember. There are few things harder for the human brain than forcing it to remember a random alphanumeric password.

  • 25% of people forget a new password within 24 hours
  • 80 million people click the ‘forgot password’ button each day
  • 81% of people who use the same password multiple times know it is not a secure practice but do it anyway

Computers love passwords. To the typical computer program, they are simple. 

And the reason why is something called ‘entropy.’

Entropy is the word used to describe how much effort is needed to crack a password. The higher the entropy, the ‘stronger’ the password. Pig Latin, for example, has very low entropy – most people can crack Pig Latin in about four words: ITSA OTNA ATTHA ARDHA.

The reason you see online retailers and business IT team telling you to use more complicated passwords (symbols, numbers, capital and lowercase letters, etc.) is because they believe that complicated passwords have more entropy.

They are wrong.

Passwords are just like Pig Latin to a computer. A bit of trial and error is all it takes to crack them.

You do not increase entropy by increasing complexity; you have to increase character length. 

Basic computers can process millions of complex password variations per second. Whether its a letter, symbol, or number, everything boils down to a ‘1’ or a ‘0’ to a computer. 

But when it comes to processing long character strings, computers gets bogged down. More characters mean more possible combinations – a lot more combinations…

For example:

     A 5 character password of letters and numbers has just over 60,000,000 combinations.

     A 7 character password of letters and numbers has nearly 80,000,000,000 combinations.

Consider the following password:  !!G0BuLL$2019

13 characters long, capital and lowercase letters, letters and numbers, special characters galore.

Google, Yahoo, Capital One, and mom would be proud! But a hacker would be happy…

A hacker’s computer can process 13 characters and a trillion variations about 4 days. Even less if the hacker used social media to discover I was a Chicago Bulls fan and assumed my password included the current year. 

The weakness of passwords is not related to you, but rather to the system storing your password.

People think that identity thieves and hackers target individuals to get their online credentials and steal anything they can. That is not how it works.

In reality, hackers target the systems that store your password – a bank, online shopping service, search engine, or email server. When they get in, the strip all the user data from the system – like names, email addresses and passwords. Then they run dedicated programs against the passwords to break the passwords with the lowest entropy.

The weakest passwords get compromised first, and the thief then breaks into those accounts. They don’t care if you are deep in debt or a millionaire – all they care about is the strength of your password.

Spies are taught to see passwords as the weakest link in our online security profile.

When you live undercover, the value of your data increases exponentially. In addition to sales people and online marketers, hostile state actors and terrorists also want to find you. No field agent wants to rely on 12 alphanumeric characters, capital and lowercase letters, and 2 special characters to protect them.

We know that passwords are our greatest weakness. They are the modern-day combination lock to everything we hold dear. We need stronger encryption.

The safety of your family, your identity, and your data is only as good as the way you encrypt it.

Elite operators, key executives and leading edge businesses have replaced passwords with something known as a ‘passphrase.’ Passphrases are simple sentences that function like a password but are easier to create, easier to recall, and significantly more secure. 

Passphrases are superior to passwords. They are simple for the human brain to remember but difficult for computer programs to crack.

Passphrases are modeled off of everyday language. Passphrases use all the same encryption components as a ‘strong’ password, but they use them in a way that is comfortable to the human mind. They read like a basic sentence, but their character count makes it nearly impossible for a computer to process all the possible passphrase combinations. 

Take a look at these examples and decide for yourself which would be easier for you to remember.

EXAMPLE 1:

  • ‘Strong’ Password: M0rn!ng03
  • ‘Stronger’ Passphrase: I wake up at 6 in the morning.
  • Encryption components: More than 8 characters including capital and lowercase letters, numbers, and special characters
  • Possible combinations: 5,000,000,000,000,000,000,000,000,000

EXAMPLE 2:

  • ‘Strong’ Password: h0Gw4rt$2019
  • ‘Stronger’ Passphrase: I want to go to Hogwarts in 2020!
  • Encryption components: More than 12 characters including capital and lowercase letters, numbers, and special characters
  • Possible combinations: 20,000,000,000,000,000,000,000,000,000,000,000,000

Some people say we are our own greatest security risk; I believe we can be our own greatest security champions. 

The human brain remains the most powerful computer on the planet. Our mind is far more trustworthy than third party password systems, online browsers, or post-it notes. 

Don’t let yourself fall victim to the weakness of passwords. Join the elite in information security and update your accounts to use passphrases instead. Your major online services are already configured to accept passphrases instead of passwords – they just haven’t told you about it!

Here are some general guidelines for building a good passphrase:

  1. Try to use phrases between 4-7 words; the ideal spot for recall and security
  2. Avoid common/famous phrases – make your passphrase personal
  3. For best security, do not use one passphrase for multiple accounts

If you log into the online healthcare portal I worked on in 2016, you will be prompted for a passphrase.

Two weeks after we started the portal project, the lady demanding strong passwords had her identity stolen. She was devastated. She found out a hacker had stolen her personal email address, cracked the password, and then used the same password to access her retirement account. Her 22 year 401k was hijacked.

She put her faith in a password; a 12 character combination lock she thought was impossible to crack.

It wasn’t.

You will read a new report in the coming weeks about another major security breach due to passwords.

And you will rest easy knowing that your information is safe.

Godspeed, #EverydaySpy 

Author: Andrew Bustamante, Founder of www.EverydaySpy.com. Andrew is a former covert CIA Intelligence officer, decorated US Air Force Combat Veteran, and respected Fortune 500 senior advisor. Learn more from Andrew on his Podcast (The Everyday Espionage Podcast) and by following @EverydaySpy on your favorite social media platform.

1 Comment

  1. Joel Bustamante-Miranda

    July 25, 2019 at 4:00 pm

    Wow!! this is really good. I am changing my passwords to passphrases. I just have to think of a clever one that can change without changing the meaning of the phrase.