Death to Passwords! They Don’t Work, So What’s Next?

We’ve all seen the Hollywood movies. Retinal eye scanners that open secret passageways. Facial recognition systems and handprint scanners to verify that the good guys are who they say they are.

In truth, corporate security in the real world is much more mundane. The most common model requires employees to enter a six or eight character password to access a secure environment. For many years, that model was good enough, even though many man hours were spent resetting or unlocking accounts when the password just couldn’t be remembered.

Today, the model is broken because passwords, as they exist, have outlived their usefulness. In the old model, the workplace was always on-premise and people spent most of their time in their physical place of employment. But in today’s society, workers are just as apt to be in their own living room, in a client’s conference room, or in an overseas hotel room.

A simple password just doesn’t cut it anymore. It’s not personal enough. It’s not secure enough. And increasing the complexity of a password isn’t the solution because it just means more time wasted in lockouts and resets.

What’s more, today’s workforce doesn’t just utilize enterprise technology that is configured for on-premise usage. The mobile workforce of today utilizes social media technology and flexible remote tools and applications. Work happens anytime, anywhere.

Empowering the innovative workforce of today means replacing the restrictive passwords of old with something much more intuitive, like passphrases. Enabling passphrases will ultimately empower the innovative workforce with better security. Employees will feel they have more ownership over their own identities and, as IT professionals, we should encourage better security measures that increase productivity.

After all, identity has become just as important as the data it authorizes. Moving from an eight character encrypted password to a 26 character password only introduces complexity. Educating the workforce on the eradication of the password and the implementation of the passphrase will empower people to lock down a single identity access once and for all.

Today, only about two percent of enterprises have implemented passphrases. Why? Because most CIOs fear the repercussions of making access more complex, such as massive lockouts for end users and skyrocketing helpdesk calls.

Employees unable to do their job because they no longer have access to the tools they need is the ultimate technology nightmare. But this fear simply enables the bad guys to develop more complex hacking algorithms against the eight character password.

Let’s take a closer look at what passphrases really are. Yes, they are inherently more complex than passwords, but they are also inherently more intuitive, and that is what eliminates the complexity.

In fact, passphrases are nothing new. We’ve all used them at one time or another to help us memorize complex things. To learn the order of planets from the sun, for instance, school kids commonly employ the phrase: My Very Educated Mother Just Served Us Nachos. That’s a very easy and intuitive way to memorize Mercury, Venus, Earth, Mars, Jupiter, Saturn, Uranus, Neptune.

With a little guidance from the IT staff, passphrases can be a very effective security measure to help isolate and protect corporate data. Here are some passphrase guidelines intended to get everyone away from using passwords and in the habit of using passphrases, which results in stronger and more intuitive security.

Passphrase Guideline #1

Total number of letters in my name; high school mascot; power department; favorite car:

Passphrase: 14_Panther_CPS_Corvette

Passphrase Guideline #2

Four wheel drive or two wheel drive, margarita on the rocks or chilled, favorite fruit, area code of your favorite destination:

Passphrase: 4x4_Chilled_Mango_808

Passphrase Guideline #3

Local grocery store; color of your trash cans; favorite cheese, mother’s zip code:

Passphrase: HEB_Green_MontereyJack_96808

As you can see from the examples, even if everyone is following the same guidelines, you will still get wildly divergent passphrases. Example #3, for instance, produced a whopping 27 character passphrase. The passphrase itself is easy to remember, even though a 27 character password would be very difficult. Once the workforce gets the hang of it, they can mix and match several guidelines for even more random passphrases in the future.

It’s time to kill the password and replace it with the passphrase. The IT staff can play a crucial role in transitioning today’s workers away from old-school passwords to modern day passphrases.