If you’ve ever had the feeling someone following you around as you browse the internet, it’s probably for good reason. Online security is becoming a more serious concern by the day. In 2014 alone, nearly half of American adults had their passwords hacked.
Yet many of us aren’t heeding these warnings. According to an annual report compiled by SplashData which looks at leaked passwords every year, simple, insecure passwords, like “123456” still rank among the most-used. In fact, “123456” was the top choice among over two million leaked passwords in 2015.
How could that be? We’re constantly reminded to use ‘hard-to-hack’ passwords. And password requirements continue to demand an ever-growing list of special characters and numbers to generate an acceptable password. So what’s the problem?
In today’s article, we’re going to take a look at what’s wrong with passwords from a UX perspective and highlight one potential solution: passphrases. But first, let’s start with how passwords are leaving us with our pants down.
As our lives become more and more digital, the number of accounts we have will increase–both personally and professionally. According to data analyzed by password management company Dashlane, the average number of accounts registered to just one American email account is 130. That’s 130 different passwords—if a different password is used each time. But the typical user doesn’t come up with 130 different passwords. And if they did, chances are they wouldn’t be all that hard to guess.
Creating an “ideal” password isn’t easy. According to industry standards, most user passwords must contain:
but not contain:
By the time users come up with something that meets all these requirements, chances are it’s not something they’ll likely remember easily—which is the next challenge for passwords.
Because there are so many variables involved to assure a password is challenging for nefarious individuals and bots alike, secure passwords are pretty difficult for users to remember. Which means many resort to recording them somewhere—which is yet another risk.
Some users use old fashioned methods like pen and paper while others have a digital text file, and others enlist the help of online password managers to store their carefully-crafted information. Which leads us to the next problem with passwords.
Part of what makes passwords so easy to hack is the technology that’s used to obtain them. Many hackers resort to using computer programs that can run through hundreds of thousands of guesses per second. That means that the easier users make their passwords, the easier it is for a computer to uncover them. A brute force attack may start with a list of commonly-used passwords, or even a dictionary search to include commonly-used words in passwords, and in just a few moments will have a list of valid passwords.
Password managers may seem like a great solution to generating—remembering—secure passwords. But they get hacked, too.
LastPass, a popular password manager was hacked in June of 2015. The company generates and stores secure passwords through the use of a single, unique, user-generated master password. Because the company doesn’t know or store that master password, they assured users that their information was safe—if their master password was itself, strong and secure. And while it sounded like the perfect solution, the company still wasn’t able to ward off hackers completely.
One way people get around having so many passwords to remember is by creating one, or a series of them, that’s easy to remember. Take, for example, one of SplashData’s top 25 passwords was “qwerty.” If that sounds familiar, it should. Just take a glance at your keyboard and you’ll see what I mean. Predictable passwords may be easy to remember for users, but that also makes them super easy for hackers to guess.
But even if a user has come up with a super strong password, that’s not going to help much if user’s password information is breached for a site or service, and that password is used elsewhere, too. According to a recent survey by password management company, Password Boss, 59% of consumers reuse their passwords across different accounts because they’re too difficult to remember.
About the time something becomes so passionately despised, we start to see potential solutions. Remember CAPTCHA, or taxis? As soon as people got fed up with services that didn’t, well, serve them, alternatives began to surface. CAPTCHA still exists but in a different format. Just as people can still get across town during rush hour, but with a service like Uber or Lyft instead of a taxi. The same is happening with passwords.
One such solution floating around the internet is the use of passphrases. Passphrases are similar to passwords, but with a few key differences. First off, passphrases only require characters. They can be numbers, special characters—whatever you want, it’s up to you. The key, however, is in the length of a passphrase.
According to research conducted by Carnegie Mellon University, passwords or phrases with at least 16 characters provide the most protection. For every additional character in a code, a computer used to hack it must compute additional possibilities. As that code grows in length, the computer must work harder and harder, and is less likely to discover a valid password through a brute-force attack.
While passwords have several requirements, passphrases typically have just a few:
Already this is much simpler than the password requirements outlined above, and that immediately makes them easier to remember. But it isn’t just the remembering that makes them a viable alternative. They’re harder to hack, too.
Let’s take a look at an example of an imaginary password and passphrase as an example. The first is a password I just made up using random numbers and letters. By most password security standards, this would be a pretty secure password—not that I’d ever be able to remember that beast!
But according to this online password checker, it would only take a medium-sized bot about one minute to figure it out!
Now let’s look at a sample passphrase I created:
It’s a simple phrase that I’d easily remember, and even includes dictionary words! Yet a brute-force attack would take about 30 billion years to figure this one out! I like those odds.
Of course, there are challenges with passphrases, too. Users are still prone to forgetting them, reusing them, or using easily guessable combinations.
For example, if a hacker obtains your email address, they might run a brute-force attack using your handle as part of the combination, along with any other information they’ve found on you. If you use your handle plus your birthday, a bot could still figure that out if your personal information had been compromised.
Another challenge is simply with adoption. Few sites utilize passphrases currently, which means users are now tasked with remembering both passwords and passphrases.
Password security is a serious issue, both for consumers and businesses. And part of what makes a password secure is the usability of its requirements. Take a page from the movie Gattaca’s script, and biometric identification might seem like the wave of the future. But, as the plot would tell you, even a fingerprint, retina scan, or blood sample can be compromised by an industrious hacker. Both Google and Apple have learned this lesson after incorporating biometric security on their respective smartphones.
While passphrases aren’t hacker-proof, they’re a great step in a more secure, usable direction that not only improves users information and privacy, it provides a better experience, too.
Get our best human insight resources delivered right to your inbox every month. As a bonus, we'll send you our latest industry report: When business is human, insights drive innovation.