Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
CIS 201 Digital Security and Cyber Hygiene
Lesson 2 of 10CIS 201

Passwords, Passphrases, and Multi-Factor Authentication

Lesson Overview

Lesson 01 set out why cyber security matters to a Principality held together by information rather than by territory. This lesson takes the single most common gateway an attacker uses, the login, and teaches you how to hold it. Almost every breach of an ordinary account begins at a login screen, with a guessed, reused, leaked, or tricked credential. The good news is that the defences are simple, learnable, and very effective, and they are the same defences whether you are guarding your own account or one that touches the records of a national.

Two ideas carry this whole lesson. The first is that a long, memorable passphrase beats a short, fiddly password, and that much of the old password advice you have absorbed over the years was wrong and has been retired. The second is that a password, however good, is only one lock, and that adding a second, different kind of lock, a second factor, is the single most powerful thing you can do to keep an account safe. Together these two habits stop the great majority of account takeovers, and they cost you almost nothing once they are set up.

This is the knowledge layer. It explains what to do and why, so that the habits make sense and stick. The hands-on part, actually choosing your passphrases, setting up a password manager, and configuring multi-factor authentication on your real Principality accounts including the single sign-on identity service, is done and signed off in person, under supervision, where the course requires it. By the end you will be able to explain why length beats complexity and write a strong passphrase; state the current password rules and the discredited old ones they replaced, including why forced periodic rotation is no longer recommended; explain what a password manager is for and why password reuse is dangerous; define the three authentication factors and explain why combining them stops most account takeovers; rank the common forms of multi-factor authentication from strongest to weakest and justify the order; and connect all of this to the Principality's single sign-on identity service and per-user keys.

Key Terms

  • Authentication: the act of proving you are who you claim to be when you sign in, so the system grants access to the right person and refuses it to everyone else.
  • Credential: the secret or token you present to authenticate, most commonly a password or passphrase, plus any second factor.
  • Password: a secret string used to authenticate; in current practice usually a longer phrase chosen for length and memorability rather than a short string padded with symbols.
  • Passphrase: a password made of several words or a memorable sentence, long enough to be hard to guess yet easy for you to remember, for example four unrelated words run together.
  • Entropy: a measure of how unpredictable a secret is; more entropy means more guesses an attacker must make, and length adds entropy faster and more reliably than fiddly composition rules do.
  • Password manager: a trusted application that generates, stores, and fills strong unique passwords for every account, locked behind one strong master passphrase, so you need only remember the one.
  • Credential stuffing: an attack that takes username and password pairs leaked from one breached site and tries them automatically against many other sites, succeeding wherever a person reused the same password.
  • Multi-factor authentication (MFA): requiring two or more different kinds of evidence at sign-in, so a stolen password alone is not enough to get in. Also called two-factor authentication when there are two.
  • Authentication factor: a category of evidence, traditionally something you know (a password), something you have (a phone or hardware key), and something you are (a fingerprint or face).
  • TOTP: a time-based one-time password, the rotating six-digit code shown by an authenticator app, valid for about thirty seconds, used as a have factor.
  • Passkey / FIDO2 / WebAuthn: a modern, phishing-resistant sign-in method using a cryptographic key held on your device or a hardware security key, which proves your identity to the genuine site without any code you could be tricked into typing elsewhere.
  • Single sign-on (SSO): one trusted identity service that authenticates you once and then grants access to many connected applications, so the Principality manages accounts, passwords, and MFA in one well-guarded place.

Why length beats complexity

For years people were taught that a strong password meant a short one stuffed with capitals, numbers, and symbols, the famous P@ssw0rd! pattern. We now know this was a mistake. It produced passwords that were hard for humans to remember and, worse, easy for computers to guess, because everyone followed the same predictable substitutions. An attacker's software knows that people swap a for @ and o for 0, and tries those first.

The thing that actually defeats a guessing attack is unpredictability, and the cheapest, most reliable way to add unpredictability is length. Each extra character multiplies the number of possibilities an attacker must work through. A short complex password and a long simple one can be compared by how many guesses it would take to break them, and length wins decisively. This is why current guidance, the latest revision of the United States NIST standard SP 800-63B, which underpins responsible password policy worldwide, tells organisations to favour length and to stop imposing silly composition rules. We follow it.

The practical form of "long" is a passphrase: several unrelated words, or a memorable sentence, run together. Aim for at least fifteen characters; more is better, and a string of four or more random words easily clears that bar while staying easy to remember. The words should be unrelated and not a famous quotation, because attackers feed song lyrics, film lines, and common sayings into their guessing tools. "correct horse battery staple" is the well-known illustration of the idea: four ordinary words, easy to picture, long, and not a phrase anyone would quote.

   WEAK PASSWORD  vs  STRONG PASSPHRASE

   "P@ssw0rd!"                         "rustladdermarbleharvest"
   |                                   |
   |  9 characters                     |  23 characters
   |  predictable substitutions        |  four unrelated common words
   |  on every cracking word list      |  not a quote, not in word lists
   |  looks complex, is not            |  looks simple, is very strong
   |  hard for a HUMAN to remember     |  easy for a human to picture
   v                                   v
   GUESSED IN SECONDS                  RESISTS GUESSING FOR AGES

   Lesson: an attacker's computer does the guessing, not a human.
   Length and unpredictability beat fiddly symbols every time.

The current rules, and the old ones they replaced

It helps to know not only the new rules but the discredited habits they retire, because many systems and many people still cling to the old ones. Here is the current, evidence-based guidance, with each rule stated plainly.

Favour length over complexity. Allow and encourage long passphrases. Do not force a mix of character types by rule. A fifteen-character passphrase of plain words is stronger and far more usable than an eight-character jumble of symbols.

Do not force periodic rotation. The old habit of making everyone change their password every thirty, sixty, or ninety days has been abandoned by current guidance, and for a good reason. Forced rotation pushes people to pick weak, patterned passwords they can change easily, "Summer2025!" becomes "Autumn2025!", and it teaches no one anything. A password should be changed when there is evidence it may have been compromised, when it appears in a breach, when you suspect it was phished, when a shared account changes hands, and not on a calendar. A long, unique, un-leaked passphrase does not get weaker simply because three months have passed.

Screen against known-breached and common passwords. When a password is created or changed, good systems check it against lists of passwords already exposed in public breaches and against the obvious common choices, and refuse the bad ones. This stops the single most effective attack, trying passwords that are already known to have worked somewhere.

Never reuse a password across accounts. This is the rule people break most and pay for most. Reuse is what turns one company's breach into your problem everywhere. Each account, especially each Principality account, gets its own unique passphrase.

Drop the pointless restrictions. Do not bar long passwords with arbitrary maximum lengths; do not forbid spaces or pasting, which only punishes password managers; do not require security questions whose answers are often public. These are usability obstacles that buy no real security.

The reason reuse is so dangerous deserves its own picture, because the attack is automatic and merciless.

   WHY YOU MUST NOT REUSE A PASSWORD  (credential stuffing)

   Some website you once used         You used the SAME password
   suffers a data breach.             on five other accounts.
        |                                   |
        v                                   |
   Your email + password leak           +--+--+--+--+--+
   onto a public list.                  |  |  |  |  |  |
        |                               v  v  v  v  v  v
        +-----> attacker's software ->  email  bank  SSO  ...
                tries that pair               |
                automatically against         every reused account
                thousands of sites            falls to ONE leak

   One unique passphrase per account breaks the chain:
   a leak from one place opens nothing else.

The password manager: how to keep this practical

The honest objection to all of the above is that nobody can remember a different fifteen-character passphrase for forty accounts. That is true, and it is exactly why a password manager is good practice and recommended. A password manager is a trusted application that generates a long, random, unique password for every account, stores them all encrypted, and fills them in for you when you sign in. You remember exactly one thing, the strong master passphrase that unlocks the manager, and the manager remembers everything else.

This single tool resolves the whole tension. It makes unique-per-account effortless, because you never type or even see most of your passwords; it makes long and random the default; and many managers will warn you when one of your stored passwords appears in a known breach, so you can change just that one, on evidence, exactly as the rotation rule intends.

There are sensible cautions. The master passphrase becomes the key to everything, so it must be a strong passphrase you have memorised and never reused, and the manager itself should be protected with multi-factor authentication. Choose a reputable manager approved for use on Army business, and follow direction on which one and how it is configured. A password manager does not replace MFA; the two work together, and the next half of this lesson explains why MFA matters even when your passwords are perfect.

Multi-factor authentication: a second, different lock

A passphrase, however long, is one secret. If it is ever stolen, phished, leaked, or guessed, the account is open. Multi-factor authentication closes that gap by demanding a second piece of evidence of a different kind, so that knowing the password is not enough. The principle is older than computers: a bank vault needs both a combination you know and a key you hold, because a thief who learns the combination still cannot open it without the key.

The categories of evidence are the three factors:

  • Something you know: a password or passphrase, a PIN. Knowledge can be stolen or guessed without you noticing.
  • Something you have: a physical thing in your possession, your phone running an authenticator app, or a small hardware security key. An attacker would have to take the object, not just learn a secret.
  • Something you are: a biometric, your fingerprint or your face. This is hard to copy and is often used to unlock the device or the key locally.

Multi-factor means combining at least two of these different categories. Two passwords are not multi-factor, because they are both "know". A passphrase plus a code from your phone is, because it joins "know" and "have". The strength comes precisely from the difference: an attacker who phishes your password still does not have your phone or your hardware key, and so still cannot get in.

This is why MFA is so effective. The most common attacks at scale, credential stuffing from leaked password lists and ordinary phishing of passwords, deliver the attacker your "know" factor and nothing else. With a second factor in place, that stolen password buys them nothing. MFA stops the great majority of these automated account takeovers, which is why it is one of the essential cyber-hygiene safeguards for a small force and why the Principality requires it on accounts that matter.

Not all second factors are equal: the strength ladder

MFA is good; some forms of MFA are much better than others, chiefly because of how well they resist phishing. Phishing is the trick of luring you to a fake login page that captures whatever you type. A second factor that can be typed, or read aloud, or approved in a hurry, can sometimes be captured or relayed by a clever attacker in real time. A second factor that is cryptographically bound to the genuine website cannot. That difference sets the order of preference.

Best, phishing-resistant: passkeys, FIDO2 / WebAuthn, and hardware security keys. These use a cryptographic key held on your device or on a small physical key. When you sign in, the key proves your identity directly to the genuine site and will simply refuse to work on a fake one, because the fake site's address does not match. There is no code for you to read out and no prompt for you to approve on the wrong page, so there is nothing for a phisher to steal. This is the form to prefer wherever it is offered, and it is the direction the Principality is moving for its most sensitive access.

Strong: an authenticator app generating a one-time code (TOTP). An app on your phone shows a six-digit code that changes every thirty seconds or so. It is a genuine "have" factor, works offline, and is far stronger than SMS. Its one weakness is that the code can in principle be typed into a fake page by a victim who has been fooled, so it is strong but not fully phishing-resistant. For most accounts it is a very good choice and much better than nothing.

Weak but better than nothing: a code sent by SMS text message. A code texted to your phone is the most familiar form, and it does raise the bar against bulk automated attacks, so it is better than a password alone. But it is the weakest option: text messages can be intercepted, and an attacker can sometimes persuade a mobile network to move your number to their own device, a "SIM swap", and then receive your codes. Use SMS only where nothing better is offered, and move to an app or a passkey as soon as you can.

   THE MFA STRENGTH LADDER  (prefer the top, accept downward)

   STRONGEST  +--------------------------------------------------+
      ^        | PASSKEY / FIDO2 / HARDWARE KEY  (have + are)     |
      |        | phishing-RESISTANT: bound to the real site,      |
      |        | refuses to work on a fake page. Nothing to steal.|
      |        +--------------------------------------------------+
      |        | AUTHENTICATOR APP CODE  (TOTP, a "have" factor)  |
      |        | strong, works offline; the code could in theory  |
      |        | be typed into a fake page, so not phish-proof.   |
      |        +--------------------------------------------------+
      |        | SMS TEXT CODE  (a weaker "have" factor)          |
      v        | better than nothing; vulnerable to interception  |
   WEAKEST     | and SIM-swap. Use only if nothing better exists. |
              +--------------------------------------------------+
   FLOOR       | PASSWORD ALONE: one lock. NOT multi-factor.      |
              +--------------------------------------------------+

   Any rung above the floor beats a password alone.
   Climb as high as each account allows.

Tying it together: the Principality's single sign-on and your keys

The Principality is non-territorial and runs on self-hosted online services. Rather than make you keep a separate account and password for each one, it uses a single sign-on identity service: one trusted place that authenticates you and then grants you access to the connected applications you are entitled to use. This is a real strength for security, because it concentrates the careful work, strong passphrase policy, breach screening, and multi-factor authentication, in one well-guarded place instead of scattering it across dozens of weakly-defended logins.

It also concentrates the risk, and that is the point you must take to heart. Your single sign-on credential is a master key to much of your Principality digital life. It therefore deserves the strongest protection in this lesson: a long, unique passphrase you have given to no other account, held in your password manager, and protected by the best multi-factor method available to you, a passkey or hardware key for preference, an authenticator app at least. Treat that one login as you would treat the key to an armoury.

Alongside the identity service you may hold per-user certificates and keys, for example the personal .p12 certificate that identifies you to a service such as the secure situational-awareness system. These are credentials too, of the "have" kind, and they identify you specifically. They are protected by their own passphrases, must never be shared or copied to an unapproved device, and, like a lost building key, must be reported at once if lost or exposed so that they can be revoked and reissued. A revoked key is useless to whoever found it; an un-reported lost key is an open door. Lesson 04 covers device and endpoint security, and Lesson 10 covers reporting; here, simply fix the habit that your keys and certificates are guarded exactly as carefully as your passwords.

A last word on appointment. Holding a strong passphrase and configured MFA does not, by itself, grant you access to anything. Access follows appointment, not qualification. The identity service grants each account only what its role needs, and removes that access promptly when the role ends. Your job is to protect the access you are properly given so well that no one else can ever use it in your name.

In Practice: A Systems Assistant Hardens an Account

A newly posted systems assistant, an OR-3 Corporal supporting a small detachment, is told to bring her Principality accounts up to standard before she is granted any wider access. She has, until now, used one fairly good password across her email, the single sign-on service, and three connected applications, and she has SMS codes switched on for the email only. By the end of an afternoon, under a supervisor's eye, she has put this lesson into practice.

She begins with the password manager approved for Army use. She sets a single strong master passphrase, four unrelated words she can picture, twenty-plus characters, used nowhere else, and protects the manager itself with an authenticator app. Then she works through her accounts one at a time. For each, she has the manager generate a fresh, long, unique password and replaces the old shared one. The reused password is now retired everywhere; a future breach of any one site can no longer reach the others. She does not set any reminder to change these again on a schedule, because she now understands she changes a password on evidence of compromise, not on the calendar, and her manager will warn her if one ever appears in a breach.

Then the second locks. On the single sign-on identity service, the master key to most of her access, she registers a hardware security key her supervisor issues, the phishing-resistant option, and adds her authenticator app as a backup factor. She upgrades her email from the weak SMS code to the same authenticator app. Where an application offers a passkey, she enrols it. Finally she checks her per-user certificate is held only on her approved, encrypted device and confirms she knows the number to ring if it is ever lost. When she finishes, an attacker who somehow learned one of her passwords would still be stopped at every login, and her most powerful account is behind a key that fake pages cannot fool. The supervisor signs off the practical. Only then does the wider access her appointment requires get switched on, because access follows the appointment, and the account is now worth trusting with it.

Check Your Understanding

  1. Explain why a long passphrase such as four unrelated words beats a short, symbol-laden password like P@ssw0rd!, referring to unpredictability and length. Then state at least three current password rules from this lesson, and explain specifically why forced periodic rotation is no longer recommended and what should trigger a password change instead.
  2. Define the three authentication factors with an example of each, and explain why combining two different factors stops most account takeovers even when an attacker has stolen your password. Why are two passwords not multi-factor authentication?
  3. Rank the common forms of multi-factor authentication from strongest to weakest, name the property that makes the top of the ladder "phishing-resistant", and explain why SMS codes, though weak, are still better than a password alone. Why does the single sign-on credential deserve the strongest protection you can give it?

Reflection (write a short paragraph): Look honestly at your own current habits with passwords and logins. Do you reuse one or two passwords across many accounts, keep a short "complex" password you have used for years, or rely on SMS codes, or no second factor at all, on accounts that matter? Pick the one habit from this lesson whose absence would most expose you if a site you use were breached tomorrow. Name it, explain why it is the weakest point in your own security, and describe the first concrete step you will take, once you are at a supervised practical or simply at your own device, to close that gap. Then consider how it would feel to be the person through whose un-protected account a national's records were reached, and let that, rather than any rule, be the reason the habit sticks.

Summary

  • Length beats complexity. Use long, memorable passphrases of fifteen or more characters, made of unrelated words rather than fiddly symbol substitutions, because unpredictable length is what defeats a guessing attack and the old "looks complex" patterns are exactly what cracking tools try first.
  • The current rules, from NIST SP 800-63B, are: favour length, screen new passwords against known-breached and common ones, never reuse a password across accounts, and do not force periodic rotation, change a password only on evidence it may be compromised. The discredited old habits of calendar-based rotation and arbitrary composition rules made passwords weaker and less usable, not stronger.
  • A password manager makes all of this practical, generating and storing a unique long passphrase for every account behind one strong master passphrase, and warning you when a stored password is breached. Protect the manager itself with MFA. It does not replace a second factor; it works alongside one.
  • Multi-factor authentication adds a second, different kind of lock, combining factors you know, have, and are, so a stolen password alone cannot open the account. It stops the great majority of automated account takeovers and is an essential safeguard for a small force.
  • Not all second factors are equal. Prefer phishing-resistant passkeys, FIDO2 / WebAuthn, and hardware security keys, which are bound to the genuine site and cannot be captured by a fake page. An authenticator-app code (TOTP) is strong. SMS codes are weak, vulnerable to interception and SIM-swap, but still better than a password alone. Climb the ladder as high as each account allows.
  • The Principality's single sign-on identity service concentrates account security in one well-guarded place and is the master key to much of your digital access, so it deserves your strongest passphrase and your best MFA. Per-user certificates and keys are credentials too: guard them, never share them, and report any loss at once so they can be revoked. And remember that access follows appointment, not qualification: your job is to protect the access you are properly given.
  • This lesson is the partner of Lesson 03 (Phishing and Social Engineering), which shows how attackers try to trick the credentials out of you in the first place, and Lesson 04 (Device and Endpoint Security), which guards the devices your factors live on. It supports CIS 220 (Identity, Access, and Records Security) and SIG 220 (Communications Security and Digital Discipline), and rests on the "access follows appointment" rule of the specialities framework.

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 2 · Knowledge Check

Question 1 of 3

What makes a password strong, according to the current guidance?