Passphrases: easier, safer

3 min reading
User Experience / 25 January 2016
Passphrases: easier, safer
Passphrases: easier, safer


When developers work in the design of projects or applications, on many occasions they need to introduce user identification processes which very often depend on a user name and a password. The user’s privacy level is based on this password, and users are ultimately the end customers of a digital product or service.

Without security there are no products or services on the Internet. We only think about security when someone puts it at risk, breaches it and accesses private data that should be protected. Whenever it happens it is an excess. Emails, online payment services, mobile applications… Users tend to use passwords that are easy to remember, but the risk of being compromised by an attack is particularly high.

On many occasions it is not even a problem of the user, but of the levels of security, that are beyond their control. According to a security report by Akamai for the third quarter of 2015, the number of the most common DDoS attacks against web applications soared: SQL injection (SQLi), local file inclusion(LFI), remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL Java injection and malicious file uploading (MFU). These attacks sometimes target servers that store hundreds of websites and passwords, and when they are hacked, security is also hacked. Sometimes, Internet companies as prestigious as the social network Facebook or the chat service Snapchat

Apart from DDoS attacks, there are another two password theft methods widely used in digital crime:

●      Brute-force attacks, which are extensively used by pirates to breach the security of systems or users, checking in a series of steps possible combinations to find the password.

●      Dictionary attacks, a cracking method used to find out a specific password by checking all the words in the dictionary. These methods require changes when choosing passwords.

Usual tips for choosing a strong password

There are some practical tips that improve the security of the passwords used by users to validate themselves in authentication systems. Some of them are repeated hundreds of times:

●      Creating passwords with eight or more characters: breaching a password’s security can be a matter of combinations and time. The fewer characters a password has, the lower the number of combinations needed to discover it. Today it is estimated that a password with more than eight characters has high security levels.

●      The perfect password combines letters and numbers: among the most unsafe passwords in the world are those that only have numbers (‘1234’) or letters (‘password’). The combination of letters and numbers increases the level of security.

●      Using keyboard symbols: if keyboard symbols are included in the password, the level of security against possible hacking attacks is higher. Examples of symbols that can be used: $ % & € # () [] @.

●      Increasing the number of passwords used for email, payment services or social networks: if the user has a single password for all the services used, the risk is very high because if it is lost the user will be more exposed than a more conservative user.

●      Not saving passwords when logging on: leaving passwords saved on the computer when accessing a social network or an email service means that third parties can gain access by simply knowing the user name. It is also a good idea to log off when leaving places where passwords have been used.

Passphrases, the best option

Passphrases are the safest option against any attempt to breach security and they also provide a number of interesting benefits for users, benefits that sometimes lead them to choose unsafe passwords: for example, the ability to remember them easily. This type of passphrases abandon the concept of password and opt for constructions with a greater number of characters, letters and also numbers.

According to a technology company like Microsoft, passphrases should have some basic features in order to be safe:

●      Between 20 and 30 characters.

●      Consisting of several words.

●      No set phrases or phrases found in literature or music.

●      With no words that can be found in the dictionary.

●      They do not contain the user name, company name or real name.

●      Look for new passphrases.

How to create the right passphrase?

First, choose a fact or thought that is easy to remember. And then, mask it by using the recommendations we have already given. Valid examples for a passphrase:

●      Fact: ‘My date of birth is January 23, 1992’. Suitable passphrase: M1d@t30f8irTh01/23/1992)(

●      Thought: ‘I love reading comics’. Safe passphrase: 1L0v3R3@d1ngc0m1cs[]. Shorter than the first one and related to a personal hobby that is very easy to remember.

Both have between 20 and 30 characters, they combine letters, numbers and keyboard symbols, they are not phrases that are found in literature or music, they are not real names, user names or company names, and they are new. 

Follow us on @BBVAAPIMarket

It may interest you