XKCD hit the nail on the head years ago with this comic about the difference between passwords and pass phrases.
One is random characters, another is words that you know in order to make it easier to remember. The reason for passphrases is to make it easier for people to remember information. A passphrase is easier to remember than a password.
If you have a tool that is automatically rotating your password or passphrase every 24 hours or every time you log in, then it doesn’t really matter because the tool is automatically making that. You don’t have to remember it, you look it up, it’s shown and you type it in. This is the issue. A good tool, like ours, will inject your password whenever you’re online and connecting to something.
A good tool also will give you the ability to enter that password and get logged in if you are offline. This is where the niche case for pass phrases over passwords can come into play when it comes to privileged account management for an MSP when technicians access client networks.
If a technician is accessing a computer that is offline by sitting in front of it and bringing up on the mobile app their password to get logged in, it can be easier to type in a passphrase than a password. This is some feedback that we’ve gotten from some of our partners. As a result of this feedback, TechIDManager now has pass phrases that you can choose to use instead of passwords. From an ivory tower perspective, from a guessability, brute force, attackable method, we use greater than 7000 different words in a dictionary that you can look up and change. 5 of them is the recommended minimum versus the 16 character password is approximately equal numbers of bits of entropy. From a security perspective, they are interchangeable. They are both 2 times 10 to 18th or more, which is a lot of different things, a lot of different options to go through and have to check if you are going to brute force it. Even from an ivory tower perspective, it really doesn’t make much difference where you use a passphrase or a password in that niche of automated privilege account management with automatic password rotation because you are not having to remember that password.
The reason for pass phrases is the memory aspect. We are listening to our partners, we appreciate all of you, and we are going to implement stuff that you asked for, even if it’s just to make niche cases easier for you.
Want to know more about TechIDManager? Schedule some time with us!
