Categoría: Artículos

C-TPAT: Cybersecurity – Passwords and Passphrases Recommendations

Cybersecurity C-TPAT:  Passwords and Passphrases Recommendations

On May 15 of 2020, the U.S. Customs and Border Protection (CBP) service, through the Customs Trade Association against Terrorism (CTPAT) program, provided a bulletin on Cybersecurity – Passwords and Access Phrases and its recommendations.

In continues communication with its members, and in order to strengthen the international supply chain and improve border security, the program extends in priority issues and highlights matters of interest for the certification. Recognizing that the best practices implemented in the supply chain and minimum security criteria can be a challenge for the members, the program provides its recommendations for the best practices.

The newsletter underlines the importance of the role that a proper constructed passwords and passphrases play in helping maintaining a strong cybersecurity. It is formally addressed in the numeral 4.8 of the Minimum Security Criteria, which details the mandatory requirements for passwords. The following, are the three mandatory requirements the members must comply to protect access to their Information Technology (IT) systems:

1.- Individuals with access to the IT systems must use individually assigned accounts;

2.- Access to IT systems must be protected from infiltration by using strong passwords, passphrases, or other forms of authentication, thus safeguarding access by IT systems; and

3.- Passwords and/or security passphrases must be changed as soon as possible if there is evidence of compromise or reasonable suspicion.

Within Security Criterion 4.8, it is recommended that access be accredited through at least a two-factor authentication (2FA) or a multi-factor authentication (MFA) process. However, the MFA most secure, for obvious reasons, since the user must present two or more evidences that guarantee the authenticity of the person’s identity, for example, the use of a secure password or a passphrase are a type of authentication.

A safe construction of passwords and passphrases

The CTPAT program recognizes passwords normally composed of not more than 10 letters, numbers and symbols, an example of a strong and strong password is something like “AT% <8gr $”.

While passphrases are longer than a password and contains spaces in between words. A passphrase may, or may not, be a formal sentence; it may be four or five words that are not related in any way. Commonly, passphrases force the user a minimum of 12 characters, making it highly unlikely for a hacking algorithm to guess passphrase. An example of a strong and safe access phrase is something like, “The red chair in the kitchen observes the forest.”


Although passwords have traditionally been the first security barrier, CTPAT program specialists, as well as experts from the public and private sectors, recommend the implementation of passphrases rather than passwords. Here are four reasons why your company should be using passphrases instead of passwords:

  • Passphrases are easier to remember than passwords;
  • Passwords are relatively easy to guess or crack. Hackers use advanced, cutting-edge technology tools that allow them to crack even the most complicated passwords. Passphrases are much more difficult to crack since password cracking tools malfunction at around 10 characters;
  • It is not necessary to appropriately change the constructed phrases, unless the user suspects that the phrase has been compromised; and
  • Mayor operating systems, including Windows, Linux and Mac, support the use of phrases, allowing up to 127 extension characteristics.

However, for those members who choose to maintain the use of passwords, the following composition methods are recommended to help make the passwords stronger and keep them secure. It is highlighted that the National Institute of Standards and Technologies (NIST) mentions that it is not necessary to make regular changes to passwords as long as the following recommendations are followed:

• Do not use passwords based on personal information or that can be easily accessed or guessed.

o For example: Using birthday dates, pet names, or favorite movies and books that can be found by quick search on social networking sites.

• Users should be prohibited from using their names or company name to construct a password.

• Passwords cannot contain dictionary words, this referring to conventional words, but to created words.

• Verify new and existing passwords with a continually updated database of password blacklists.

• Passwords that are around 8 characters long are still very easy to crack or guess.

• When the user enters a new password, that password should be verified by an atomized IT system. These verifications from the IT department should be performed when passwords are created, and should be verified continuously, preferably daily.

• There must be a documented process, in case a password is compromise. Different passwords must be used for different accounts.

• Users should not choose passwords that are the same or similar to the last four passwords.

It is generally recommended that users should never do the following with their passwords or security passphrases:

• They should never share their passwords or passphrases with anyone.

  • Passwords should not be written on post-it notes and stick them on monitors or other surfaces that are on the computer’s perimeters.
  • If users cannot remember their passwords, they can write hints to help them remember them, but they must be stored securely, for example, in a locked drawer.
  • An encryption password manager can be used to generate passwords or passphrases.

In addition to keeping passwords/phrases secure, computing devices should never be left unprotected or assets unattended.


Passwords and passphrases are certainly essential for security, but they are of no value if the users do not learn how to protect and use them wisely. Users must be properly trained and educated on how to generate strong passwords/passphrases, and keeping these secure, as well as cybersecurity training.

Cybersecurity is a shared responsibility, and it is ultimately about people, more than technology. It only takes one infected computer to potentially compromise them all. The most impressive and sophisticated technology is of no value if it is not operated and maintained by informed users.