There has been a lot written about passwords in the last few days, and the industry is trying to move people away from passwords with FIDO (Fast IDentity Online), but passwords will still be around for a while, and they are critical in protecting your data. Here are my thoughts.
The latest advice from NIST and Microsoft indicate you only need eight character passwords with no complexity and no expiry because if you enforce some controls, your users will create weaker passwords. Ok, I say this a bit tongue-in-cheek, the advice does go into specifics around using password checking against known bad passwords and using MFA, but honestly, people don’t read that, they just see I need an eight character password…happy days!
How passwords are made up depends on what it’s protecting. Here is my advice:
- The password length is still relevant. An eight character random password with just lowercase characters will take about 5 seconds to crack*. Increase that to 10 characters, and it will take about an hour, 12 is 4 weeks, and 14 is 51 years. This example is just lowercase characters, so yes, the length is still important. If you just stick several basic words together that makes a 15 character password it won’t be strong…we do need to think about it. Using ‘blackblackblack’ or any repeating pattern to meet a 15 character minimum password length will create an easily guessed password.
- Add some complexity to your password. It does not have to be complicated, adding a capital letter and a number or two can significantly increase the time it would take to crack the password. If we go back to our example 8 character password and replace two of the letters with a number and a capital letter, it takes us from 5 seconds to 2 hours and if I replace another letter with a non-alphanumeric character like @ then the time extends out to 9 hours. The 14 character password with a number and an uppercase character becomes 10 million years to crack.
- How do you remember such a long password? That is a good question, and the best way is to use a password manager, but there may be times that you just need to remember the password. This is where you may have seen articles referring to passphrases and not passwords. The idea is you use a much longer passphrase, but it’s easy for you to remember, such as a short sentence, add some complexity to this and you have a good passphrase. An example may be the sentence ‘i like black dogs’, adding some complexity to this may become ‘I like 5 black dogs’, this example would take 117 Quintilian years to break, and that’s a large number!
- Use Multi-Factor Authentication, MFA, where you can. Multi-factor authentication (MFA), 2FA or two-step authentication is where you use another form of authentication in addition to your username and password. This is usually a text message to your phone, an email code, a one time password using an app or a push notification. Check the website you are using in their security or password section to see where to turn this on and use it. Push notification is better than a text message, so pick that if you can. MFA is not entirely secure, so don’t go using a weak password thinking MFA will save you. Turning on MFA is just another layer of security you should enable.
- Don’t reuse passwords or similar ones. Criminals will find a compromised account of yours and try that password or similar passwords on different platforms. So they may have your password from a LinkedIn breach so they will use that on Facebook, Insta etc to try to take over those accounts. The best way to combat this is to use completely different passwords on different websites. This creates the next problem of how to remember them, which then leads to weak passwords again like using the service name such as Facebook or FB with a common or root password, such as ‘strongpass-FB’ and ‘strongpass-Insta’ etc. A password manager such as LastPass or 1Password can help with this, and I strongly suggest you use one.
- Stay aware and a little paranoid. It sounds like a joke, but honestly, the easiest way for a criminal to get your password is to simply ask for it. Social engineering tactics, such as phishing, is a growing threat. Be wary of emails that ask for any information or get you to click on links. Common ones will pretend to be security related, and you need to reset your password or there is a refund, or to cancel an order etc. Think before you click, hover your mouse over the links, do they look correct? Try this exercise for fun, https://phishingquiz.withgoogle.com – you can click on this 🙂 no? Ok, search google for phishing quiz and give it a go, you may learn something.
There are a lot of different opinions around passwords and the management of them, and this depends on the person or organisation. These are just some of my observations and tips. I hope some of them have been useful.
Stay safe out there.