Why swapping passwords for passphrases might be a good idea

StaffNovember 1, 20252 min read

We’ve all done it — changed our passwords periodically or perhaps when “commanded” to do it to protect cybersecurity. And that security is top of mind for most banks. A survey of chief risk officers says it’s the main risk financial institutions face over the next 12 months.

Now some are taking that practice of changing passwords to a new level: passphrases.

A traditional eight-character “complex” password (P@ssw0rd!) offers roughly 218 trillion combinations. That sounds impressive until you realize that modern GPU setups can test those combinations in months, not years. If you increase that to 16 characters using only lowercase letters, you're looking at 26 to the power of 16 combinations, billions of times harder to crack for a would-be attacker. And three or four random common words strung together might be easier to remember than a long password.

For decades, complex passwords required uppercase, lowercase, numbers and symbols, something making it difficult for hackers. Now security experts are saying length is more important than complexity, and using a passphrase can accomplish that. It’s much more difficult to find the right combinations of words in a passphrase than numbers and letters in a password.

Consider these two advantages:

Fewer resets. When you use a memorable phrase — and the list of those you could use are as endless as your mindset — there’s no need to write them down on a note that you leave on your desk or in a calendar. The phrase is already in your mind — that can’t be easily copied unless your attacker is a mind reader!

Better resistance from attacks, since hackers look for patterns with letter/number combinations. Just be sure your passphrase is made up of random words. Don’t say “The-sky-is-blue” as that’s too easy to connect the dots. Try something like “frog-mayonaise-accordian-gutter.” You get it — nothing that makes sense but something you can easily remember. No mandatory capitals, no required symbols, nothing too complex. The keys are the length and the randomness of the words.

The cybersecurity concern has made risks more complex. They come from advanced persistent threats, ransomware and state-sponsored attacks on financial institutions. Because banks are increasingly reliant on third-party vendors, cloud services and digital platforms, operational resilience is under more pressure. And any breach or disruption of services can cause not just financial loss but also damage to an institution’s reputation, regulatory sanctions and loss of customer trust.

Changing a password for a passphrase can add a layer of security to any bank or financial institution.

From the Salt Lake Business Journal archive

← Back to the archive