One of the members of the Master Mind Security Panel during the ITEC show in Charlotte, Dan Colby, made a great point. Basically, he said "quit using passwords."

Colby is president and CEO of Pinstripe, an application development and consulting company in Charlotte. They provide all the IT services for many area SMBs, including security.

What will replace passwords? Passphrases. Let me quote Colby from an e-mail he sent me about this security idea.

“Passphrases have become the preferred method for password-protecting end user devices. The concept is simple. It is much easier to remember, 'Let the force be with you' than it is to remember "!PS12Na#" and the passphrase is often more secure. The longer the passphrase, the more secure it is.”

While Colby said “end user devices” I think passphrases work with devices with good keyboards, like desktop and laptop computers. Smartphones may have keyboards, but few companies can really enforce the use of a decent password on handheld devices, much less a passphrase.

Security experts agree with Colby about the value of passphrases. The longer the password, or passphrase, the more time and computer power needed to hack it. Companies demand bizarre passwords like "!PS12Na#" to increase the difficulty level of hacking the password. Real people, however resort to what Colby calls the “Post-It note effect” of passwords stuck to monitors. Advanced users have learned to take those passwords off their monitors and hide them under their keyboards. Oops, I just ruined the security plans for one of every three users in many companies.

Administrators must configure security applications to accept longer passwords so passphrases work. Many applications also demand upper and lower case letters, at least one number, and at least one symbol. Hence the impossible-to-remember password "!PS12Na#" provided by Colby.

Check all your password hungry applications and operating systems, including local computers, servers, and online systems. Supporting passphrases in three of four locations doesn't help. This technique must truly be all or none to work properly.

Independent security experts say to configure password fields to accept between 15 and 128 characters. 15 characters as a minimum pushes the password into passphrase territory automatically. Microsoft, however, limits password fields to 127 characters in Active Directory, and therefor Exchange. But 127 should work for almost every passphrase.