It is often said that data and networks are far less vulnerable to sophisticated technological attack than they are to human mistakes. This is borne out time and again with news of large-scale hacks that were made possible not by expansive, high-tech eavesdropping operations, but instead by individuals who were tricked into giving up a password over email, passwords that were written down, or passwords that are so simple as to be cracked in seconds.
Indeed, the use of difficult-to-remember passwords – and the steps that people take to keep track of them – is one of the key ways that attackers compromise a system. In order to protect yourself and any organizations – including the Iowa City Community School District – whose systems you have access to, one easy solution is to switch from passwords to passphrases.
Let’s take a look at an example. For many years, it was thought – and recommended – that complexity be introduced to passwords. Instead of using “Coffee” as a password, for instance, you might use “C0FfeE!”. Problem is, it can be difficult to remember even one password like this, much less the dozens (or hundreds) that many of us use. More to the point, the new password is barely more difficult than the old one to crack. According to the howsecureismypassword.net website, while it would only take a fraction of a second to crack “Coffee”, the time only increases to 7 minutes with our more complex C0FfeE!.
Passphrases – which eschew complexity for unpredictable length – can be both easier to remember and far more secure. Let’s say that I like coffee a great deal, and instead of using C0FfeE! as a password, I opt for “ilikemycoffeeroasted”. The time to crack has just increased to 16 billion years. Let’s say that I’m using a service that requires me to use a number or symbol; “igot2shotsofespresso!” would take a computer about 573 quadrillion years to crack my password.
While each of my examples is longer, to be sure, than a typical password, the beauty of examples like these is that they should be relatively simple to remember. If you would like to address even that problem, you might try a password manager like the one built into Google Chrome, or a more powerful manager like LastPass.
As an organization, the Iowa City Schools has followed federal NIST guidance in implementing our internal password policies, which you can read more about here.
In closing:
- Strongly consider adopting passphrases to replace your passwords
- Never write your passwords down
- Never share your password over email, text, or by phone (even with District IT staff, though we should never ask).
- Consider using a password manager like LastPass to generate, store, and use passwords.