Should CIOs Kill Off Passwords?

Is there a better way to secure applications and websites?
Is there a better way to secure applications and websites?
Image Credit: Mike Corbett

When your IT department creates a new website for users to access, how do they go about securing it? If you are like most IT departments, you require users to make use of a unique username and a password. That password may be a bit complex: it has to be so long, must contain upper and lower characters, has to have a special character in it, etc. However, we keep reading about hackers who are able to guess people’s passwords and gain access to sites. What should a CIO do to stop this?

Say Hello To Passphrases

So if passwords are not doing the trick, then what should we be using? Passwords have revealed themselves to be both hard to remember and really not all that secure. Perhaps now is the time for CIOs to replace passwords with passphrases. The hope is that randomly generated passphrases will be much easier for users to remember and to enter correctly. The reason that passphrases have not been used so far is that they are often viewed as being harder to enter. The result of this is that they cause more login failures.

It turns out that there has been another problem with switching to using passphrases: users are not good at selecting them. What happens is that people pick passphrases that are too easy to guess and the hackers are able to figure them out. Just to make things a bit more tricky, people tend to use the same passphrase to access more than one site. Alternatively they will use certain words repeatedly in order to make the passphrase easier to remember and then it becomes even easier to figure it out by the bad guys.

A much better way of creating a passphrase is to use a randomly generated one. Take a list of about 10,000 different words that are secure and create a passphrase that is 24 characters in length. This will prevent people from using phrases like “I love Snoop Dog” as their easily guessed phrase. The creation of an automatically generated random passphrase will help to ensure that users have a unique passphrase for every site that they access and that it is random so that hackers won’t be able to easily guess it.

How To Secure Sites Using Passphrases

Randomly generating the words that go into a passphrase is only the first part of creating a secure login system. One of the problems that people have today with the passphrases that they use is that they can’t remember what phrase they selected. This can cause them to write them down or, even worse, use the same passphrase to gain access to multiple systems. CIOs need to be aware of these issues and we need to make sure that we take steps to prevent them from becoming serious problems.

The person with the CIO job needs to understand that the simple physical act of typing in a passphrase can be a big issue for a user. What this means is that it is going to be up to the websites that the IT department is creating to provide users with hints as to what their passphrase might be. One way to accomplish this would be to reveal several passphrases letter-by-letter as the user begins to type. Showing this information to the user will allow them to recognize which word is part of their passphrase and they will be able to type the rest.

An alternative way that a website can help a user to remember what their passphrase was is by using visual mnemonics. This could consist of a simple drawing that could suggest to the user what their passphrase is. As the user starts to log in, the picture could pop up for them. If the person in the CIO position wanted to take things one step further, they could have users start to use a passphrase system in combination with a password manager system. This would allow users to store multiple complex passphrases.

What All Of This Means For You

Due to the importance of information technology CIOs are currently facing a critical security issue. The user names and passwords that we are using to secure our applications and our web sites are not accomplishing what we need them to do: keep the bad guys out. It turns out that even when we make passwords complex, the bad guys are still able to guess them. In part, this is because users tend to use the same password in order to gain access to multiple systems. What CIOs need is a better way to secure logins.

That better way may have arrived. Randomly generated passphrases are believed to be much more secure than traditional passwords. Traditionally passphrases have not been all that secure because people tend to use the same passphrases on different systems and they repeat common phrases in their passphrases. A much better way is to use automatically generated passphrases that are created from a list of 10,000 words and that are limited to being 24 characters long. CIOs need to be aware that a problem that people have with passphrases is that they can’t remember them. In order to make this easier for users CIOs should consider having web sites provide users with possible next words for a passphrase in order to jog the memory of the user. Alternatively, a website could provide a simple mnemonic that showed the user what the next word in the passphrase was.

CIOs need to take steps to better secure their online systems. The passwords that we are using today are not doing the trick. Switching to using a system of automatically generated passphrases appears as though it could go a long way in making the company’s IT assets more secure. It will take a great deal of time to get everyone comfortable with making this switch, but in the end the benefits will make the effort worth it.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that a passphrase should be limited in terms of number of characters or number of words used?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.


P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

As your company’s CIO you have a responsibility to make sure that the IT department is staffed with the skilled workers that it will need in order to remain both competitive and secure. Among other things, this means that because of the importance of information technology you are going to have to hire the cybersecurity experts that you’ll need in order to keep the bad guys out. However, this is where CIOs are starting to run into problems. It turns out that there simply are not enough cybersecurity experts out there. This is creating real problems for CIOs. What should we do about this?