Home > Blogs > VMware Go Blog


IT Confessional Series: Passwords and Passphrases – NOT One and the Same!

By Andy the Angry IT Guy

Editor’s note: This is the eighth in a series of posts we’ll be running from “Andy,” an anonymous IT administrator working for a mid-sized organization located somewhere in the American Midwest. In his previous post, Andy explored some of the features introduced in the new version of VMware Go Pro, and made his latest play in his ongoing pursuit of Liz from accounting.

Today, Andy – who tells us he drank four Red Bulls immediately preceding his writing of this post – tells us why passwords and passphrases are two very different things, and how employees are putting both themselves and their organizations at risk by relying on the traditional password model.

Permit me a rant today, folks. I just spent the past two-and-a-half hours taking stock of all passwords for every employee in our network. Last week, my friend Pratik was nearly fired after a malicious hacker accessed his company’s network and broke into a database that stored over 500 credit card numbers. How did this hacker get in, you may be asking? Apparently, one of his company’s marketing execs was using “password” as his network password. If it weren’t for the series of incriminating photos that Pratik had of his boss jumping up and down and screaming at a Justin Bieber concert, he would have undoubtedly been looking for a new job by now.

Anyway, I took this incident as a queue to survey the passwords in my own network to make sure that we didn’t have such glaring vulnerabilities. Surely, my organization of astute, can-do individuals would be better than that – nobody would be so silly as to choose such an obvious, er, password… Right?

Wrong.

To be fair, nobody actually used “password,” but here’s but a small sampling of some of the other less-than-secure passwords my coworkers employed:

  • “apple”
  • “candy123”
  • “destiny666”
  • “money”

Now, once you get by the fact that these all kind of sound like stripper names (and it admittedly took me a few minutes to do so myself), you’re left to realize how obvious they are; any hacker worth half his merit could break into these accounts if he or she so chose to do so in a matter of minutes. These people clearly don’t understand the difference between a “password” and a “passphrase” – which has its own Wikipedia entry, lest you doubt its legitimacy.

To put it simply, “password” is to “passphrase” as “rickety wooden door with a broken lock” is to “vault.” Information technology has evolved rapidly over the past 25 years, and so have hacking techniques. If you’re choosing a single word to authenticate your access to a network, you’re making your organization—and your IT admin’s job security, for that matter—extremely vulnerable. For example, a hacker can employ a “dictionary attack,” an automated program that successively tries an exhaustive list of commonly used passwords to gain access to your network.

It absolutely boggles my mind that people in this day and age are still using such rudimentary passwords, when adopting a more extensive, yet just-as-easy-to-remember passphrase can exponentially reduce your risk of being hacked. Instead of “password,” you can go with “password is the most obvious choice ever so please hack me.” Seriously – you can make that your password! Every Windows operating system since Windows 2000 has supported passphrases of up to 127 unique characters—there’s simply no reason not to take advantage of this.

While you can (and should) incorporate numbers and other symbols into your passphrase as well, I’m by no means advocating the randomized “xZd4!g8F”-style passwords that paranoid admins like to hand out. While they may be far more difficult to hack, they’re also near impossible to remember. Instead, consider a few of these examples:

  • “For the love of all that is holy when will this day end?”
  • “In six hours I will be playing Diablo 3”
  • “143 Liz from accounting”
  • “haauauuhauaau vruuuuwooao miaoourrrooaao”*

*Example only relevant if you speak Wookie

Now if you’ll excuse me, I’m off to go write a sternly-worded email to my entire office about why it’s time to drop passwords in favor of passphrases. Have any good passphrases of your own? Feel free to post them in the comment section below!

One thought on “IT Confessional Series: Passwords and Passphrases – NOT One and the Same!

  1. ben

    I have also been moving my companies to pass phrases, this is one I retired several years ago so I don’t mind sharing one of my all time personal favorites.
    “Stop! The beast contained herein shall not be set free, not even by you.”
    –Tyrael

Comments are closed.