Best Practices for Securing Your Passwords
What is a Password?
Passwords are a code, made up of a string of characters, that can be used to gain admission to something. Passwords are the most commonly used form of user authentication and account protection today.
Most Passwords Aren’t Perfect
Traditionally, the basis of password security has relied primarily on secrecy and an individual’s ability to remember it. Because of this, people are often inclined to choose a code or phrase they can easily understand and recall without a prompt. Unfortunately, passwords that are easy to remember can be easy to guess. Short combinations of easily remembered words or phrases tend to make weak passwords.
In an attempt to improve account security, many sites now require that passwords meet or exceed certain level of complexity. The requirements vary by site, but many require that passwords be a certain length, contain at least one uppercase letter, one number, and sometimes a special character. These requirements help guide users toward creating stronger passwords but many still tend to use simple sequences or patterns.
Weak Password Practices
- Does your password start with a capital letter?
- Is it a simple word or phrase?
- Is your password grammatically correct?
- Does your password end in a 1 or a 2?
- Is there punctuation or a special character following a number?
- Does your password include a season or a year?
- Does your password contain your name or birthday or that of a loved one?
- Does your password contain the name of the service you are logging into? (i.e. facebook, or fb)
- Does your password include your company’s name, motto, or product?
- Does it contain swear words or the word “love?"
- Does it contain a keyboard walk (i.e. qazwsx or 123456qwerty) or number sequence (i.e. 12345 or 454545)?
If you answered “yes” to any of these questions, you should consider changing the way you create future passwords.
Patterns & Passwords
The above list gives examples of common practices people use when creating passwords. Passwords that use these common practices are easier to crack because they follow predictable patterns and themes. So why do people keep senselessly using them?
One of the strongest functions of the human brain is pattern recognition. This function is an intrinsic part of our mental process and is closely associated with how we learn and remember things. This is why most people tend to make orderly passwords that are based on patterns or themes.
Pattern recognition is so deeply embedded in us that it even affects our perception. In an attempt to make sense of randomness, our brains will seek out familiar patterns or images, even if none actually exist. Have you ever looked at a cloud and thought it looked like a animal? Or had at a random string of letters remind you of a name or phrase? That is your pattern recognition kicking in. The Rorschach Inkblot Test is a good example of how pattern recognition works in the brain.
Since pattern recognition plays a big role in how we remember things, people have the tendency to use words or phrases in their passwords to help remember them. This makes sense from a user standpoint, but even though patterns make it easier for us to remember our passwords, they also make it easy for hackers to crack them.
That is why you want to avoid common patterns like appending numbers to the ends of passwords, capitalizing the first letter of words or nouns, years or dates, or using any of the other practices listed above.
What Makes a Strong Password?
The goal of creating a strong password is making one that is unpredictable, making it hard to guess and increasing the likelihood that it will remain secret.
All password-protected systems are susceptible to hacking, but there are steps you can take to help thwart password cracking software. If your password incorporates enough of the following characteristics, you can make a password strong enough to deter a hacker’s continued attempts to crack your password.
Characteristics of a Strong Password
The shorter the password, the the easier it it is to crack. This is why many sites set a minimum length for passwords.
Hacking methods have improved to the point where IT Security Experts agree that 8 character passwords are no longer adequate to effectively defend against hackers and that a 12 character minimum should be adopted.
A 2010 study by Georgia Tech Research Institute (GTRI) recognized that a 12-character alphanumeric random password was the minimum required character length able to defend against password cracking software.
So for the strongest password, use at least 12 characters or more.
Complexity refers to the variation of character types used in your password. Most sites have complexity requirements for passwords such as a minimum length and that they include at least one uppercase letter, one number, and sometimes a special character.
The main reason for password complexity is to increase the keyspace per character which allows a user to create a stronger password with fewer characters. For example, an 8 character password containing alphanumeric and special characters is just as strong as a 16 character password made up of only numbers. By increasing the pool of potential characters from just 10 numbers to 94 alphanumeric and special characters, a hacker will have a much harder time cracking your password.
Just remember: Increasing the complexity of a password by adding numbers, symbols, and capital letters can increase password strength, but only if they are ordered in an unpredictable way.
Because people are so susceptible to using familiar patterns, randomness tends to rank as the top characteristic of a strong password.
Randomness refers to the combination of characters placed in an order unassociated to any type of pattern such as Fw-$G-J*K8u8W5xr.
These kinds of passwords are usually difficult to remember but can be easily managed with a password manager. A password manager is an encrypted database that can be used to securely generate and store passwords, such as LastPass, which is a free password manager. It stores your encrypted passwords online so you can access it anywhere. It supports web interface, browser plugins, and even has an app for different smartphones.
If a password manager doesn’t seem right for you, another option would be to create a random passphrase. A passphrase is usually made up of 6 or 7 words that have no logical connection to each other like, “ScootExceptsTailsNotchMccarthySedate” or “DepositbaconbruegelTyphoidReptilesValuing." Though they tend to be much longer than a typical password, passphrases can be much easier to remember because they are made up of actual words.
Again, it’s important that there be no logical or personal connection between the words. To make it easy, there are plenty of free online sites that can generate random passphrases for you such as UseAPassPhrase.com and Untroubled.org Secure Passphrase Generator.
Total Account Security
At the end of the day, it's important to recognize that the security of your accounts should not rely solely on the strength of your passwords. Even the strongest passwords can become compromised through spyware, phishing, or other social engineering tactics. That’s why it’s important that you reset your passwords/phrases regularly. Recommendations vary, but it is advised that passwords be changed every 3 to 4 months and that every new password is different from the last 3 you used.
So much of our lives are connected to and depend on our access to online accounts like banking, health care, and insurance, to name a few. The idea that those accounts could be exploited because of a compromised password is unsettling. If such a thing were to actually occur it could be detrimental for both your personal and professional life. Passwords can become compromised by a number of ways and with advances in technology and computing power, having a single password act as the sole means of account authorization is becoming less reliable. In fact, having multiple account authorization methods is becoming the new norm.
Many people are turning to multi-factor authentication to protect their important accounts. Multi-factor authentication is the use of multiple modes of identification layered together in order to confirm the identity of the person trying to access the account. This way, if one factor became compromised, it wouldn’t threaten the security of the entire account.
Requiring multiple proofs of identity greatly increases overall security, and there are many different options available that can be used in addition to passwords.
Multi-factor authentication can be broken down into 3 different groups:
- Something you know
- Something you are/do
- Something you have
Something You KNOW
This is the most common of the factors in authentication.
These authentication factors are ones that use something that can be remembered, such as a username & password, a PIN number, or a security question.
Something You ARE/DO
“Something you are” authentication factors are becoming increasingly popular because they nearly impossible to artificially reproduce, making them very reliable. These factors use biometrics, the identification of an individual by their unique body features. Examples include retina scanning, vain prints, finger prints, and facial recognition.
“Something you do” authentication factors are also related to biometrics but focuses on the behavioral habits of a person. This can include habits like the way a person writes, searches the internet, or holds a phone.
Something You HAVE
These authentication factors rely on a person keeping an item their possession and presenting it in order to gain access. These could be things such as smart cards, certificates, RSA keys, or RFID badges.
Contact us for more information on keeping your passwords and IT systems secure.
Email us at firstname.lastname@example.org, or call (715) 869-3440.
You can also visit our Security Services page to learn more!