The Australian Cyber Security Centre (ACSC) strongly recommends that access to systems and online services are controlled via robust user identification and authentication practices, ideally using multi-factor authentication, to help prevent cybercrime. The ACSC also acknowledges that implementing multi-factor authentication will not always be possible, and that in some cases system owners may choose to implement passphrases as the sole method of authentication. For these cases, the ACSC provides some recommendations as to passphrase requirements.
What is a passphrase?
There are some key differences between a passphrase and a password, which had led IT experts to recommend passphrases as being more secure.
What are the differences?
A password is typically composed of no more than 10 letters or symbols, or a combination of both, and there are no spaces between the letters/symbols.
Example of a password: Password1
On the other hand, a passphrase is longer than a password and contains spaces between words. It can also contain symbols, and does not have to be a proper sentence or grammatically correct.
Example of a passphrase: This is an example passphrase!
Why are passphrases better than passwords?
Passphrases easily satisfy complex rules (such as the use of upper and lower case), are longer than passwords, and are almost impossible to crack because most password cracking tools break down at around 10 characters. Furthermore, passphrases are easier to remember (e.g. you could use a line from a favourite song).
What are the ACSC recommendations regarding passphrases?
The ACSC recommends that passphrases should be at least 13 alphabetic characters. A number of randomly chosen dictionary words would satisfy this requirement.
Alternatively, if a system owner prefers a shorter passphrase policy, at least 10 characters with complexity (i.e. involving at least three different character sets) could be used.
When using passphrases as the sole method of authentication, the ACSC encourages the use of longer passphrases without complexity as they are often much easier for users to remember yet provide the same, or greater, level of protection as shorter passphrases with complexity. The ACSC also encourages system owners to consider whether passphrases need to expire or not for different account types.
As cyber adversaries become more sophisticated in their capabilities, there may be a continuous requirement for longer passphrases when used as the sole method of authentication. As this is not sustainable long term, the ACSC strongly encourages the adoption of multi-factor authentication by organisations, especially for risky activities such as remote access, conducting privileged activities and accessing sensitive information. This is one of the Essential Eight Strategies to Mitigate Cyber Security Incidents.