OSB Professional Liability Fund

Passphrases: An Enhanced Level of Security

May 19, 2017
by Rachel Edwards

We now live in a digital world. Many of our interactions occur online using computers, smartphones, and other mobile devices. This new reality requires passwords at multiple stages, whether to unlock our computer or smartphone or log in to a practice management software program or website. The number of passwords needed to perform our daily activities, both personal and professional, can be overwhelming. While many devices and websites now require multi-factor authentication (e.g., requiring an access code that is sent to your smartphone), some do not offer that level of security, leaving you with single-factor authentication through use of a password. Here are some suggestions for creating and managing passwords while following proper security measures.

Consider using a passphrase rather than a password. A passphrase is a phrase or sentence, whereas a password is typically composed of a single word or set of numbers. Strong passphrases are generally 20-30 characters; a password is generally 6-10 characters. A strong passphrase can provide an added level of security. Below are tips for creating a strong passphrase:
  1. Use phrases that are meaningful to you but not easy to guess, even by family members or friends. Examples include favorite song lyrics (e.g., JustASmallTownGirl$$LivingInALonelyWorld!) or childhood pet names (e.g., Fido&Mr.Kitty&Bandit).
  2. Use a mix of upper and lowercase letters.
  3. Add numbers and symbols (!@#$%). You can also change some letters to symbols (e.g., A is @).
  4. Do not use sample passphrases found online.
  5. Avoid well-known quotes, song lyrics, or phrases.
  6. Structure it to be easily memorable.
Once you have created strong passphrases, consider these suggestions for ensuring additional security:
  1. Do not use the same passphrases across multiple devices or websites. As frustrating as it can be to end up with a long list of passphrases, protecting things like confidential client information or your bank account is worth the effort.
  2. Change your passphrases regularly.
  3. If an account is compromised, do not reuse the passphrase in a different location.
  4. Do not store passwords in an easily accessible location, such as on a sticky note next to your computer or in a document titled “passwords.” Consider using a password manager program such as LastPass.
  5. Do not share your passphrase with others. Yet keep in mind your duty to plan ahead in the event of your incapacity or death, and be sure that someone is able to find your passphrases in order to protect your clients’ interests. You can find additional information in our publication “Planning Ahead: A Guide to Protecting Your Clients’ Interests in the Event of Your Disability or Death,” which is located on our website at www.osbplf.org > Practice Management > Publications.
Some systems do not allow for the number of characters required by a strong passphrase. For example, some smartphones only allow for a set of numbers as a password. Rather than choosing a set of numbers (e.g., 1234) or even a word that translates into numbers (e.g., DUCK=3825), you can instead use the first letter of each word in a passphrase (e.g., SummerCampFiletMignon=SCFM=7236). This passphrase combines a favorite childhood memory (Summer Camp) with a favorite food (Filet Mignon).

Many smartphones and other mobile devices now have the option to change your settings to allow for passphrases (often called a “custom alphanumeric code”) and multi-factor authentication (e.g., sending an access code to you via email prior to log in or a fingerprint). Yet if a particular device or website only provides single-factor authentication such as a passphrase, consider implementing the suggestions above to achieve an enhanced level of security for your data.