Passphrases rather than passwords


 In a world with GDPR and an ever increasing number of cyber attacks it is vital that Credit Unions have proper security in place. Passwords will form one of the fundamental security measures in your system but passwords can often be a weak link in your security.

The guidance used to be to change your password as frequently as possible. The problem with this though is it makes it difficult for individuals to remember their password. Often this results in people writing down their passwords or selecting less secure passwords. A balance therefore needs to be struck in terms of how often passwords are changed.

The average business employee has 191 passwords to remember according to a survey by LastPass. This has two impacts. Firstly, users will select passwords which are easy to remember or very simple.  Worryingly the most common passwords used in 2018 were:

1) 123456

2) password

3) 123456789

4) 12345678

5) 12345

As a result many systems will now impose restrictions to force passwords to be more complex. This has resulted to people often using numbers or symbols that look like letters in their password so they are still easy to remember (for example p4ssword, numb3r, etc) or simple choices such as abc123 (15th most common password). Hackers though are aware of these  techniques and are setup to crack these passwords.


Secondly, most people will use a password for more than one site/system. If your password has been compromised on a site then hackers may try to access other sites using your email address and that password. is a site which checks if your online account details have been compromised. It checks your email address against lists of accounts on the dark web and tells you which accounts are known to be compromised. If you use sites like linkedin or adobe, who have had large scale breaches in recent years, then it is likely your email address will appear at least once. If any of your accounts have been compromised it is therefore important to change your passwords not only on that account but any online account that uses the same password. 

The need for more complex passwords that are still easy to remember has led to many IT professionals to recommend using passphrases such as lines from songs or combining 3 or 4 seemingly unconnected words. The unconnected words should be something connected for you but not for anyone else so for example if your morning routine in the office is to get a coffee, switch on your computer and then as you sit down you see Tesco outside your window then you could have a password of coffeeswitchtesco. If you throw in some capital letters,  numbers and symbols then you have a long memorable password. The use of these passphrases rather than passwords can therefore help improve your security.