Password Security Best Practice
How many passwords do you have to remember in a day?
In today’s world, we are constantly bombarded by passwords. Whether they’re used to log into email services, social media platforms, or even games; they are everywhere. By now, we’ve all heard the mantra, “Use a strong password!” and have likely heard many tips on how to generate and remember them.
One of the most common methods I’ve heard of is to choose a memorable sentence or phrase; e.g. “It was the best of times, it was the worst of times.” Use the first letter of each word to create the base of your password; e.g. "iwtbotiwtwot" Change some random letters to uppercase; e.g. "iwTBotiwTWot" Then add some numbers and punctuation symbols; e.g. "55iwTBot!iwTWot9" Voila, now you have a new strong password! However, the steps required to generate and memorize that password are quite painful. Complex passwords like this are difficult to remember, especially if you need to create a unique password for every site or application.
How do most people manage their passwords then?
What I often see is that users either end up recording passwords on Post-It notes, in books, and in spreadsheets. It is also very common to recycle/reuse/adapt passwords across a number of sites; e.g. "password1", "password2" Unfortunately, these coping mechanisms put individuals and organizations at significant risk for a cyber attack.
If passwords are written on a physical medium like a Post-It note or a notebook, anyone with physical access, such as coworkers and cleaning staff, can easily snap a photo and steal the credentials in under a second. In some extreme circumstances, credentials have been leaked through media interviews (https://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1). When hackers break into computers, the first thing they look for are Notepad and Excel files containing usernames and passwords. Recycling and adapting passwords is an even worse threat. Hackers frequently post dumps on the Dark Web of usernames and passwords from sites that they’ve hacked. One common attack is to scoop these credential dumps and use them to access frequently used sites like Office365, Gmail, and Facebook.
So how do you stay safe in light of these threats?
Here are 2 approaches:
1. Use a passphrase instead of a strong password:
Using a passphrase comprised of unrelated words separated by spaces is far easier for us humans to remember and is still sufficiently resource intensive for computers to crack. For example, the password we generated at the beginning of this post would take approximately 8,930,931,513 centuries to crack with current technology, while the passphrase “Kitten Tractor Pulling Skyscrapers” would take 3,251,514 centuries to crack. This approach is the least friction as it requires the least amount of behavioural change to implement. However, the downfall is that users still need to memorize a number of passphrases. If you’d like to test how strong your passwords are, this site will tell you approximately how long it would take to crack them: https://www.useapassphrase.com/
2. Use a password manager:
Password managers take the labour and annoyances out of generating and memorizing passwords. LastPass, for example, integrates into most browsers and installs on your phone so you have access to your passwords wherever you go. It can generate and store a unique strong password for every site and app you use. It also has a fantastic function that autofills username and password dialogues on web forms. Finally, all password data is fully encrypted, and the keys are held by the user so nobody else can view your passwords. The downside is that users have to be willing to break old habits and learn new habits to use this approach. However, most people get used to this change within a week or two and can’t imagine going back to memorizing their passwords.
The take-home message is that the world is changing faster than humans can adapt and passwords are one of the weakest aspects of cybersecurity. Taking the time to break old password habits and adopt new ones now is one of the best ways to protect yourself and your organization safe online.
Don't forget to take a look at our other content, and subscribe to be notified of new updates. Drop us a comment of other troublesome technology tasks that you struggle with in your day to day life that we may be able to shed some light on.