Open in app

Sign in

Write

Sign in

Stop Requiring P@55w0rDz!

We need to allow passphrases instead

Mario Noble
The Startup
5 min readJan 15, 2021

--

Photo by cottonbro from Pexels

Magical incantations against hostile forces

How many times have you been asked to create this for a password? Or worse, had to integrate the feature into a design or project?

  • Choose a password that is a minimum of 8 characters long. Sometimes there’s a maximum too. Why? Probably some database limitation…
  • The password must have at least one letter and number (alpha-numeric).
  • It should also use at least one uppercase and lowercase character.
  • It must include at least one special character like !,#,$ or & (sometimes typical special characters {,],\ etc. are not supported. My wifi printer can’t enter a hash #…
  • If you’re lucky you’re told this at the start and not when you click submit then need to start the process all over again.

By the way, you’ll probably be asked to type it twice.

“My wifi printer can’t enter a hash #”

If you’re lucky, there will be some sort of real time password strength checker that tells you if you’ve met the requirements. If not, you’ll need to just keep trying!

If you’re unlucky, you’ll need to recreate a new password every few months. And to make matters worse, there’s an arcane system that will determine how closely the password matches the previous one and reject your new one if it resembles the old one too much.

Wait, it’s really less magic and more trick

Most people will create some L33tspeak password that sounds like something they can remember and fits the requirements. They might use something personal like M@rioC001 or the name of their favorite dog F1d0Eats$. Hey, it meets the requirements! Or, they’ll make up something random E67Hy%yu and then write it down on a piece of paper stuck to their desk (under a book of course for extra security). Each time they need to change it, they’ll maybe use M@rioC00l2! Or, cross out the old one and write the new password on the sticky note. Very secure and not guessable at all. /jk

“My favorite dog is Fido. I’ll use F1d0Eats$”

Seemingly good password security practices can create bad security risks.

Are there better ways? Yes, but…

If they’re really on the ball they might use their browser like Firefox, Chrome etc. to help create their password and store it. That said, accessing it across different browsers and devices can be an issue. Also, if they’re using a non-browser based app, that can be a problem as well if the apps don’t support the browser password manager.

Most tech professionals (myself included) use dedicated password managers like KeePass, LastPass , 1Password, etc. This enables us to handle hundreds of logins across devices and browsers plus generate and share the credentials for certain sites/services with others if needed. That said, the best ones often do cost money, require setup, and management can still be confusing for the average person.

I still can’t get my wife to consistently add password info for many credentials we need to share, lol.

So, you can automate things to a certain degree.

Is there a better way? Yes!

Passphrases to the rescue!

Instead of E67Hy%yu, we can implement registrations and logins that allow them to use something like greentreeflowdown.

Which might be based on a favorite painting I saw a while back.

Counter intuitively, by today’s internet standards, this is actually more secure and harder to brute force attack or guess.

That said, if you still use something guessable like MarioNoble, that remains a security risk and should not be used.

The comic explanation

A pretty famous comic summarizes the problem and why passphrases are better from a security standpoint.

A comic demonstrating how passphrases have better entropy than password, easier to remember and harder to guess.
Credit — Randall Munroe, XKCD

Advice from comics not good enough?

The experts weigh in.

The National Institute of Standards and Technology is recommending people to do just that:

https://securityboulevard.com/2019/03/nist-800-63-password-guidelines/

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

https://www.zdnet.com/article/fbi-recommends-passphrases-over-password-complexity/

Here’s also a nice generator that does it for you: https://correcthorsebatterystaple.net/

Do they still like to use a mixture of upper, lower, uppercase and special characters in a passphrase? Makes them feel all warm, fuzzy and more secure inside? Let them go for it! As long as it’s long, memorable but not very guessable, they’re free to do what they want.

Mmmmm…freedom.

We still need guidelines

This is probably what new user guidance should cover

  • Create a passphrase of at least four words (14 characters) (should be a minimum of 14 characters even though the prescribed minimum is 8).
  • Ideally, they are seemingly random but have meaning to the user (give an example like traincrazywhenten — You really liked trains when you were ten. Make sure this is not actually used, lol).
  • Could have spaces or be used as a sentence (I love ice cream on Wednesdays.) but this might be considered less strong since it uses grammar.
  • Don’t use their username as part of it, site or company name, birthdays, phone numbers or names of significant others (wife, husband, dog, cat, etc.), birthdays or socials.
  • Shouldn’t be used in other logins elsewhere.

The last three points are all practices that should be checked for in the “old-school standard” password method as well even if you don’t want to use the passphrase approach.

Good things to still do…

  • A passphrase strength checker but it only checks the length and if it uses the username, app or site name, and other known user data from the site/app.
  • Check for security risks and errors as they type beyond the minimum character limit.
  • Give hints beforehand and provide good guidance if the password doesn’t fit criteria.
  • Try to give this near the field and not at the end of the form.
  • Provide a means to recover like Reset Password but never store the password in plaintext. Your org should never actually be able to view or change the password itself.

I’d also allow them to view their password if they want, even if it’s easier to remember and type now.

You might only have them enter it in once depending on the security context. Joining a forum can be a bit different than creating a bank login.

Linking to some common password managers might be helpful as well. Many people don’t even realize they exist.

Getting hardcore

Speaking of bank logins, in a high security environment, you’ll of course want to not only rely on passphrases but use a combination of real 2 factor authentication (SMS based is not recommended use something like Authy, Duo, Google Authenticator, or Microsoft’s Auth) or a physical hardware security key that plugs into a USB, biometrics where possible, security questions, etc.

Hand holds a USB hardware security key on a keychain.
USB Hardware Security Key — Photo by cottonbro from Pexels

Make the world just a bit less miserable!

Security usually reduces convenience and often increases friction, but at least using a passphrase can alleviate the password pain point to a certain degree.

I think the more we can implement this on as many systems as possible the more secure we will be in reality. Otherwise, we’re just doing the digital equivalent of making people take their shoes off at the airport security checkpoint.

UX Design
User Interface
Security

--

--

Mario Noble
The Startup

Written by Mario Noble

142 Followers
Writer for

I’m a UX Designer in Los Angeles, CA. I used to be interesting but now I just geek out, watch Netflix/Prime and get worked up over politics

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams