Training your users to use passphrases

Passwords will soon be a thing of the past. We are no longer in an age where passwords with @rb1trArY p01ci3$ like one number, one uppercase letter, 3 emojis, 1 bitmoji, and 12 Chinese characters are secure enough to keep us safe from attackers.

So what do we do? In general, we are moving towards a password-less future. Companies like Trusona are pushing for a #NoPasswords frictionless authentication by using biometrics, physical IDs, and other multi-factor authentication techniques. Unfortunately, it’s a little early for this adoption across the board.

As an IAM (identity and access management) product manager, I have a fun puzzle to solve where I:

• require enough security to feel confident that I’m adhering to the strongest password policies (I use NIST’s guidelines as a starting point, but security is ever-evolving. It’s a race as hackers become more sophisticated).
• ensure a positive user experience while achieving strong security
• remove complex password rules that don’t provide any extra security
• educate the user why I am guiding them towards a passphrase

Passwords are not secure and are hard to remember

In 2017, after over a year of research, NIST came out with new, groundbreaking guidelines surrounding your digital identity. They shattered current authentication practices and replaced them with improved security and user experience.

Some major takeaways include:

• Existing password guidelines have the opposite effect than intended. The majority of users tend to use the same password, like Kidsname1! or Petn@meStreetNumber. When they’re forced to change their password, they create the same password with a slight variation, e.g., increase the number at the end from a 1 to a 2.
• Security questions, despite the name, are not secure. It is not hard to find out a user’s dog’s name or father’s name. In fact, research shows that many users don’t answer these questions accurately. Instead, they will answer with the first or last word of the question, e.g., Q: What is the make and model of your first car; A: car.
• Text messages for secondary authentication are no longer considered secure. Not only can your phone easily be stolen (it’s happened to me more than once), but SIM swap attacks are becoming more and more popular. Hackers can steal your SIM or reroute your texts to their own SIM. They can now gain access to any of your accounts that have SMS set up for your 2FA.
• Passphrases are, by nature, longer and harder for computers to guess. They are easier for humans to remember because we can use a phrase that makes sense.

How to transition to passphrases

Okay, so now that we know why it’s time to transition our authentication strategy away from passwords, how do we do it?

1. Recognize that this is a big shift for most of your users. Even if your user base is technologically savvy, passwords have been around since the beginning of the internet. Use a voice that is friendly and conversational and acknowledges that passphrases are different.
2. Provide more details if users want it, but don’t overwhelm them with details about security. Authentication should be painless. You want your users to log in to your software, not spend 5 minutes figuring out how to create a passphrase and reading why. Instead of requiring multiple password rules, suggest a phrase that your users can remember but will be hard to guess.
3. Give an example that your user is unlikely to copy. As designers, product managers, architects, security engineers, and software developers, we can only do so much to keep people from making poor choices. You can give an example of a passphrase, but try not to lead the user. Instead of “My son’s name is Severus” where the user might then choose “My son’s name is Draco,” make the example something like “brown foxes have feet.”
4. Do not restrict special characters. There is no reason to restrict them, and there is also no reason to require them. The length of the passphrase is what keeps it secure. I recommend not allowing less that 12 characters. If, for example, your guidance to your user base is a phrase with three to five words, then it is very unlikely they will have less than twelve characters. There is a fun tool from betterbuys.com that estimates how long it will take for a hacker to brute-force your password. Though eight characters is the minimum that NIST recommends, it will take hours for an 8-character word with no other restrictions and centuries for a 12-letter word with no other restrictions.
5. Mask by default*, but allow the user to unmask their passphrase. Because passphrases are longer, they’re more prone to typos. Allowing the user to reread their passphrase (and confirm on initial setup) will keep your users from experiencing the frustration of creating a passphrase with a typo.

*Masking by default is not always recommended for mobile. The reason to mask is to protect yourself from people looking over your shoulder, but most mobile operating systems enlarge each typed character by default anyway.

Passphrases are easier for humans to remember.

Passphrases are harder for computers to guess.

Passphrases are harder for humans to hack.

Passphrases are harder to socially engineer.

I encourage you to use passphrases yourself and help me in the challenge of driving this awareness for a more secure future.