An article in the Washington Post suggests the use of passphrases, rather than passwords and the use of multifactor authentication to log in to websites. It says:
We made two recommendations to the department, but they apply equally to anyone using a computer at a nongovernment job or at home. First, we recommended that the department adopt multifactor authentication across all IT systems. MFA is the gold standard for cybersecurity. It refers to the use of at least two factors to access computer systems. The factors usually fall into three categories: something you have (a digital token), something you know (a password) and something you are (a fingerprint or retinal scan). MFA requires at least two of those factors, such as a fingerprint plus a password.
MFA is already required on all federal systems — and has been for decades. It’s not a new technology; various forms of it have been in use in private industry for 35 years. But our inspection showed that the department didn’t enforce MFA on an unknown number of systems. In fact, we found that nearly 90 percent of the Interior Department’s high-value IT systems allowed MFA to be bypassed or permitted authentication through passwords alone. We therefore recommended that the department prioritize implementing MFA and requiring MFA methods that cannot be bypassed on all its systems.
Second, where MFA cannot be currently implemented, we recommended that the department move away from passwords and toward passphrases.
Here’s why: As we’ve come to rely on passwords more and more in our daily lives, bad actors have become better and better at defeating them. This has created a “negative feedback loop”: As password policies require more complexity, remembering passwords becomes more difficult, leading users to turn to simple, easy-to-remember patterns. According to the National Institute of Standards and Technology — the primary U.S. government agency for cybersecurity measurement, research and standards development — these common patterns have become easy targets for hackers, leading to additional password complexity requirements, in a never-ending cycle.
To make matters worse, passwords are not only hard to remember but also have the added benefit of being ineffective: Even complex passwords are remarkably easy for computers to guess. A computer can hack a password such as “5pr1ng*ish3re” relatively quickly. The better choice is a more easily remembered passphrase that strings together several unrelated words totaling more than 16 letters, such as “DinosaurLetterTrailChance.” Though a computer can break a complex password in days, if not hours, it could take the same computer centuries or even millennia to crack a passphrase. It’s counterintuitive, but the facts are clear: Passwords are hard for a person to remember and easy for a computer to crack, while the opposite is true of passphrases.