Categories: Best Practices Cyber Security Awareness Month Information Security
Passwords are keys to your online castle(s) such as: employer’s online resources, bank account, social media accounts, shopping sites, health records, and much more. Password safety is not something many people think about on a daily basis but passwords help keep your accounts secure and your digital identity safe. In this article, I explore best practices for password safety.
Password safety begins with strong passwords. You may see many different definitions of a strong password. Over time, we learn better practices to increase the security of a password. These include a password’s length, its uniqueness and randomness, and the feasibility of guessing a password.
Let’s start with password length. Many sites require your password to have a minimum number of characters. Why? With each additional character added to the password length, you are exponentially increasing the number of possible combinations needed to crack your password. For someone nefariously trying to crack into your password with a password cracker program, a password with more characters could exceed the ability of the cracker program. The National Institute of Standards and Technology (NIST) recommends at least 8 characters but others suggest at least 12 characters for password length. Eight characters is a reasonably good minimum number of characters for your password but longer passwords are better.
Password: Unique and Random
Another part of a strong password is its uniqueness – not reusing the same password across several websites. This aspect is often overlooked but a unique password is one of the more important factors you should consider. Even the strongest password used over and over on many different websites becomes insecure: if a website is compromised and hackers have login data, your strong but not unique password is now available to the hackers. Once your password is compromised, instead of updating the password for the one site that was hacked, you would need to change the password on every site where you used that password!
Randomness plays an important role in the strength of a password as well. Randomness in your passwords makes them much harder to guess because you use less predictable words or characters. Some may use the names of friends, family, pets, or even the name of the service itself; others use birthdays or some variation of generic passwords like 12345, ‘qwerty’, or just exchanging a letter or two in ‘password’ with a similar symbol like ‘a’ to ‘@’. Let’s be honest: you are not making your password much more secure by using ‘P@ssW0rd’. An example that is less predictable would be something like TeaDriveCubeGlasses a password that I made using the passphrase model below.
Using a Base Password
The likelihood of a guessed password is combated by your password’s uniqueness and randomness. But, what if you use a base password and just change a few characters at the beginning or end of the password? Many websites provide a password strength meter to help determine the strength of a password. However, these meters cannot consider how many times that password has been used, or if your password is similar to another password you’ve used at a site. Using a base password with minor changes should be avoided. As in the previous examples, if your account is compromised on one website, your password and any variation of that password jeopardizes your accounts on other sites.
Using a Passphrase
One of the best ways to generate a password is by using a passphrase. A passphrase is a combination of the two words “password” and “phrase”. Using a passphrase as your password (1) helps you create a longer password which is much harder to crack by brute force and (2) allows the password to be more easily remembered. One of the most used examples of a passphrase comes from a comic strip called XKCD. They said the difficulty to remember the passphrase is as: “You’ve already memorized it.”
After you have a strong unique password, you will want a safe and secure way to remember it. Now, some people may have a fantastic memory for remembering hundreds of unique and random passwords, but not everyone is blessed with such a memory. Many people write down their passwords on a piece of paper, maybe an Excel sheet, or even a sticky note under their keyboard. This is another practice that is not very secure. So, you may be wondering how to remember all your long, random, unique passwords! The best course of action is a password manager: a tool that will store all your usernames and passwords for your accounts behind one username and password. This helps keep people without the credentials to your password manager from being able to find your password list and logging into your accounts. There are many different password managers out there including LastPass, Bitwarden, 1Password, and Dashlane to name a few.
Best Practices for Password Safety
Another piece of password safety is knowing when to change your password. Pay attention to news headlines about digital and online security and change your passwords when you become aware of a data breach with of service you use. Change your password – using the techniques described above – to a new, strong password and if you have any other account using the same password, change it too. If you provide an account password to someone, change it as well.
Multifactor authentication (MFA), or two-factor authentication as it is sometimes called, is a security feature that requires two forms of identification to log into an account. There are three different types of identification that can be used for multifactor authentication: something you know, something you have, or something on you. For example, MFA may use a password (something you know), a cell phone (something you have), or a fingerprint (something on you). The two forms of identification need to be different types to help strengthen the security of the account. In our examples, you couldn’t use a password and a pin number as both of those would fall under the “something you know” category but it could a password and a pin number sent as a text message to a mobile phone. Enabling MFA for your account adds another layer of security and helps if your password ever becomes breached: the hacker would need that second factor in order to access your account.
If you have questions related to material covered in this article, about cybersecurity or other IT security related topics, feel free to contact us.