FBI issues advice to scrap your passwords and replace them with something more secure Getty

Stop using your passwords and make this one simple change for a more secure life

The Protected Voices initiative was launched by the FBI to help safeguard against online "foreign influence" operations along with cybersecurity threats. With input from the FBI itself, the Department of Homeland Security, and the Office of the Director of National Intelligence, it's a goldmine of essential guidance and advice on everything from social engineering through to incident response. While the information is geared toward political campaigns, the advice provided applies to a much wider audience. Adapted from that initiative is something known as the FBI Portland Tech Tuesday report, and the latest recommends an alternative to the passwords that most people use to protect everything from email to banking, phones to laptops. The FBI wants you to stop using passwords and do this one thing instead.

The security devil is in the password detail

The devil is, as always, in the detail. In this case, that detail is that complexity isn’t always best. The passwords that the FBI wants you to stop using are both simple and easy to remember ones, which are also easy to guess or break, and even more complex combinations of cases, numbers, and special characters that are much harder to remember. I'd hope that you aren't using one of the world's top 100 worst passwords, nor should you just be swiping right when it comes to password selection.

This is where the FBI advice comes in, and can be summed up by those two words: length and complexity. "Password length is much more important than password complexity," the FBI said, adding that instead of using shorter and more complex passwords, you should "consider using a longer passphrase."

A passphrase as a better alternative to a complex password is not exactly a new security concept, but it remains a good one, and it's good to see both the National Institute of Standards and Technology (NIST) and the FBI recommending it.

Correct Horse Battery Staple

Most geeks will have come across the idea of length beating complexity, and passphrases trumping passwords, from the "Correct Horse Battery Staple" cartoon. If you've never seen this, do go and take a look. It explains better than any number of lengthy essays why such a passphrase is difficult to guess but easy to remember. And that's the point of the FBU advice: "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."

So, while G5e*cbCy74Tm$*SZthE7igp7L is certainly difficult for a would-be attacker to guess or break using brute-force attack methods, it's all but impossible to remember. However, "FantasticYellowBowledHair" is the same length but a lot less complex and so much easier to visualize and thus recall. Importantly, it's just as hard for criminals to crack. The trick is to use unrelated words that can be combined into something that you can visualize, rather than related words that might be guessable as a phrase. The FBI recommends using passphrases of at least 15 characters, but I'd suggest stretching that to 25 characters because, well, why not?

There's even a passphrase generator online that uses the XKCD method, with user parameter options such as word capitalization and separator options, that will throw random phrases at you to make the process even easier.

Why not just use a password manager?

You may well be wondering why bother with passphrases when a password manager application randomly generates suitably long and complex passwords that you never have to remember as it does all that for you? This is true, and it's what a lot of information security professionals from ethical hackers to CISOs of my acquaintance both use themselves and advise others so to do. However, your password vault still needs to be secured by a master password, and that's where the passphrase advice comes back into play. You can make this hellishly long, but unforgettable, using a passphrase to get the best of both secure worlds. For additional heft, multiple layers of security are always a good thing. Adding extra user verification steps such as biometrics (a fingerprint) or tokens (hardware security keys or software authenticator app codes) into the mix will lock your accounts and services down even tighter.