Back

Passkeys, passwords or passphrases?

Cybersecurity

How do you secure your accounts and how do you create strong passwords? In this article we will give you some tips and tricks.

10.October 2023
Written by Admincontrol

Hackers use multiple methods for trying to get into your accounts. The most commonly used attacks involve phishing or the use of stolen credentials.

74% of all breaches include the human element, such as the use of stolen credentials or phishing.

You may think that you have a strong password and use it on many different services. Well, I have to tell you that you are at a high risk of being hacked. The good news is that you can fix this by applying some additional protection measures.

Four tips everyone should follow

  • Always use multi-factor authentication (MFA)
  • Use a secure password manager to manage all your credentials
  • Create longer passwords (passphrases) instead of complex passwords
  • Where possible, start using passkeys instead of passwords

Use multi-factor authentication

While creating strong passwords using passphrases is important, it is even more important to protect your account with additional authentication factors, such as an authenticator app as an additional security measure. This is what we call two-factor authentication (2FA) or multi-factor authentication (MFA) and is a must, today to protect your accounts.

Using additional authentication factors to access your accounts makes it much more difficult for attackers, since they will no longer be successful, just stealing your credentials. If you have not yet protected your account using 2FA, you should do so as soon as possible. Read more on the why, and how to use 2FA here.

What are passkeys?

Passwords are the primary method of authentication but are also one of the weakest because passwords can be guessed and are quite frequently stolen. To reduce the reliance on passwords and make it easier for people to protect themselves, the software and security industry has created a more secure solution called passkeys.

Passkeys rely on cryptographically secure keys stored securely on a system that you control, such as your laptop, mobile phone or your secure password manager.

Every time you log in to a service, a unique passkey is then generated specifically for this service, based on the keys stored on your device. The passkey is then used as an authentication key instead of relying on a static password.

More secure

Using passkeys is a more secure solution than using passwords because of their cryptographic strength.

The good news  is that these passkeys are also resistant to phishing . If an attacker  successfully tricks you into clicking on a link that takes you to a disguised login page where you provide a passkey, it cannot be re-used to log in to the real site.

The passkey only works once, for the specific site for which it was created.

Easier to use

Another benefit of passkeys is that they are more convenient and can be combined with biometric features on your device or by a code dedicated to that specific device, so that you only need to remember the specific code. 

While passkeys can be very useful, most services still require you to create a password and may not yet support passkeys: So you still need to be able to create long and strong passwords.

Use a password manager

With the number of accounts, it is typical to have in today’s online world, it can be challenging to keep track of all of them. Even with good and memorable passphrases, this can be a daunting task.

The best solution is to use a secure password manager. A password manager is a form of specialised software specifically created to keep your passwords and account information secure, while also providing you with usability features to ease the login process by automatically entering your account information with the help of browser add-ins.

Use a password manager to store all your different passwords. They are secure and easy to remember!

 

Use a password manager to store all your different passwords. They are secure and easy to remember!

 

You can think of the password manager as your password vault, since it securely stores your account information in encrypted form on your device or in a secure cloud solution, depending on the product you choose.

You still need to create a strong password to access your password manager. So I’ll also give you some tips on how to create memorable and strong passwords.

Tricks for creating strong passwords

People are good at remembering situations or phrases that provide a message they can relate to. Some of us are very good at remembering text if it is in the form of a rhyme or song. We should take advantage of this and use the same approach when creating passwords to remember. In other words, instead of passwords, we should create passphrases. Because the longer a password is, the harder it is to guess, or for hackers to crack using computers.

An example could be:
“My dog always barks at the postman”

Or:
“I love the smell of coffee in the morning”

 

Møyfrid & DennisManaging Director at Admincontrol, Møyfrid Øygard, recommends using human aspects in passwords

Use human aspects in passwords

These sentences are much longer than ordinary passwords, which makes them much stronger, and they include the human aspect where they relate to something that we can feel, have felt or can visualise. As soon as you apply the principle of visualising something, then your brain is much better equipped to remember it.

If you look at the text, you will see that it still contains upper and lowercase letters. It also contains spaces, which is a special kind of character. It does not contain numbers. There’s no need for that. But if you still encounter requirements to have this, just try to incorporate a number to it, to be compliant with the rules.

Instead of passwords we should create passphrases

If you mathematically (based on computing power) evaluate the strength of these passphrases, you will find that to crack them using computers, it will take more than 10,000+ centuries to guess. This makes it impossible for any hacker and ensures that your data is safe.

Compare this with a typical password requirement of 8 characters, upper + lowercase + numbers + special characters, like:

“Thorough2%” – – This looks strong, right? It even has 10 characters with special characters and all that. Such a password only takes a few hours for an attacker to guess using computers – Ouch!

“Xs5dfg%–” – This looks complex and hard to guess, but it just takes a few minutes to hack using computers, and you probably won’t remember it anyway.


What about my existing passwords and accounts?

If you don’t use long and strong passwords on your existing accounts, we recommend that you update them and create strong passphrases, or use the password manager to create strong passwords for you.

You should closely monitor if any of your existing accounts have been affected by a data breach

Data breaches do occur and can disclose your account details to hackers, including your username and password. Even large companies have been shown to not take security seriously enough. You should therefore closely monitor whether any of your existing accounts have been affected by a data breach.

For this purpose we would specifically recommend that you check your email address using a public service like https://haveibeenpwned.com/.

You enter your email address to get a list of known breaches where your email address has been part of a breach. If you are affected, make sure you create a new and strong password for that service and never reuse the old password. You can also subscribe to updates of any new breaches.

Good luck on creating your new passphrases and remember to always use two-factor authentication! 


If you want to discover other ways of increasing your security in these rapidly changing times, you may also be interested in our handbook on how to manage the impact of hybrid working on cybersecurity.

Download eBook:

New call-to-action