12
votes
Requiring users to use passphrase instead of passwords
Hey guys -- I wrote a blog that I'd love some feedback on. I'm an identity product manager and have been trying to train my users to use passphrases. Do these read friendly enough? I want it to be readable by all users, but my target audience is other people in product and software.
https://medium.com/@toritxtornado/training-your-users-to-use-passphrases-2a42fd69e141
Nice! An actually practical piece of security advice that people can easily integrate into their lives.
It's a little text heavy though I think? Maybe throw in some images, humor, or something else along the way to break it?
Obligatory relevant XKCD
Yes! I almost posted that xkcd with it, actually. Great feedback. This is my first blog post and my second one is actually a somewhat humorous short poem on GDPR (https://medium.com/@toritxtornado/twas-the-night-before-gdpr-3882222cec4e). I think you're absolutely right -- that was the main thing it was missing. Thank you for reading.
This is my first post on ~tildes!
I read and feel that I understood your write up, and think that anyone with even a small amount of computer literacy would not have a problem understanding.
Thank you! My dad read it and thought it was a tech-heavy, but it's so hard for me to remove myself from what's domain knowledge and what's common knowledge. I really appreciate you taking the time to read it and provide feedback.
That reminds me of What3Words, which tries to organize the world by giving a unique 3 words to every 3m^2 on Earth. I think it's great to take advantage of the fact that we remember words better than individual letters, especially if it gives a clear advantage on all fronts.
I feel like the content overall is good, however, the real meat of showing what passphrases really are is easily missed. In revision, I'd make that section be closer to the top and easier to grab the eye if someone is just skimming the article.
Implying that passwords are not secure and that policies are arbitrary is a little misleading as well. Policies are a product of technical limitations. If you don't have some policies, people will just use simple single words. Systems that can validate that passphrases are reasonably difficult to guess don't really exist in enterprise systems yet. You can't stop 1/2 your users from using the first line of the chorus from the current hit pop song. Policies requiring complexity are a lot easier to implement, and at least encourage a base level of complexity.
I train my clients to use sentences that have proper punctuation. That fulfills the usual complexity requirements while also implementing the ideas of passphrases. An example I use is "I drank 12 cups of coffee this morning!". This completes the usual complexity requirements while being difficult to guess and easy to remember as a passphrase, the best of all worlds.
Overall I do like the article though. Just a few rough spots in my opinion.
This is really good feedback. It's my first blog post, and I know there is a lot of room for improvement. I work on an enterprise application and am building a new version of it, so I get to define new passphrase policies. I like the idea of passphrases with proper punctuation. That doesn't seem all that more complex, but adds an extra layer of security.
Thanks again for taking the time to type this out.