Remembering Longer Passwords Easily

Expert Advice

Independent security experts say to configure password fields to accept between 15 and 128 characters. 15 characters as a minimum pushes the password into passphrase territory automatically. Microsoft, however, limits password fields to 127 characters in Active Directory, and therefor Exchange. But 127 should work for almost every passphrase.

The need to constantly change passwords creates problems, but with passphrases it's easier. Here's Colby again.

"Keep in mind, when you go to a passphrase approach, you can also more easily govern the regular changing of passwords. If I have to remember "!PS12Na#" and then next month remember "90dc$U@" I am going to go nuts, whereas changing my password from "My favorite baseball team is the Yankees" to "My favorite football team is the Panthers" is no big deal."

For those users stuck with outmoded systems, or outmoded security administrators, you can still use a passphrase to help you deal with short and confusing passwords, at least if they let you devise your own. The line about the Yankees becomes MfbtitY, including upper and lower case letters. If you must add numbers, through a number inside the password or at the end. It may not work with 'My favorite baseball team is the Yankees' but it works with "Call b4 you come over tonight" and "My favorite rock group is U2."

If your company supports remote users logging in to a Web application like a browser-based e-mail client, test this carefully with every browser supported. Some browsers, and some Web relay devices, block or modify some unicode characters like symbols and spaces. If that happens to your users, they won't be able to log in over the Web. Then they will be in a bad mood when they call you for help.

Don't force non-company users to adopt a passphrase by requiring longer passwords. Many users have a single non-critical password they use for various Web sign-in forms. No one can remember 100 different passwords for different sites, but you can certainly use "2-Stupid" for a password 100 different places.

Nothing is foolproof, of course, when dealing with users. If you set a limit of three password attempts before locking the system, fumble fingered typists will have problems. Weirdly, the worst typists pick the longest phrases, perhaps to give themselves more chances to hit double keys or forget where they are in the passphrase and start hitting the backspace key. You will not completely eliminate your support calls by moving from passwords to passphrases.

That said, supporting passphrases, even those like "Passwords are stupid," will cut down on user mistakes and increase your password defense against hacking. You'll be amazed at how many people can't remember eight characters but can remember 45 characters if they choose them, like "Help! I need somebody, Help! Not just anybody." Just ask them not to sing their passphrase.