Passwords continue to be one of the main contributors in compromise and cyber attack. We frequently identify and exploit password vulnerabilities during our security assessments and this was one of the driving factors behind our Active Directory Password Audit service. Although NIST revised their password security guidance a few years ago, mass adoption is still slow on the uptake and we as society have still got a way to go.
So as it’s World Password day, we thought what better day to provide a refresher on choosing good passwords?!
#1 Length is more important than complexity
L3tmein is not a secure password. S3cur3! is not a secure password. We’ve all been told to include a number and special character, and we’re most likely going to use the number(s) 1 or 123 if adding them to the end of our password. When it comes to special characters we like to use exclamation marks (!) because we all love to exclaim our passwords! We need to start focusing length instead of complexity.
If the minimum length is sufficient, complexity should be encouraged but not enforced. We recommend to our clients a minimum of 16 characters should be enforced in their password policies, however more is always better. Which leads us on to…
#2 Use a password manager
In the distant past we were all arguing that we wanted security and usability in a nice, simple succinct package, but that package didn’t exist anywhere. “We want secure passwords that are easy to use and we want them right now!” Guess what, you can have it right now.
Put simply, password managers generate and store really secure passwords for you without you having to remember them. You access your manager using one very long and secure password and the manager handles the rest.
There are plenty of online and offline options available, some free and some paid that may offer extra functionality, and many offer mobile apps to ensure your keys to the kingdom are with you wherever you are.
Always bear in mind, however, password managers are not supposed to be a silver bullet, they just need to be better than not using them; and that’s exactly what they are. No one is impenetrable, and adding layers of security is called defence in depth, which helps ensure a potential attacker gets bored and moves on. Troy Hunt wrote a great blog and expanded on this a few years ago.
#3 Passphrases over passwords
If you’re not onboard with password managers yet, try to adopt a mentality of choosing a phrase/sentence over a single word, which will in turn passively achieve #1 from earlier. In terms of resilience to attack, The cat sat on the m4t for example is substantially stronger than S3cure123! even without substituting the a for a 4.
But even that slight change coupled with a starting capital letter is still very easy to remember and dramatically increases password security. Another characteristic of the above example password is… (you may have already spotted it!)…
#4 Use spaces!
Use them wherever possible. They’re a valid character and when you’re informed you cannot use them it’s generally down to the way the application/website has been designed as opposed to an inherent incompatibly.
Microsoft Windows supports them, so thinking about promoting length and choosing passphrases, go and change your Windows logon password to something like, for example (don’t actually use this), I’m gonna make him an offer he can’t refuse (good film quote!), which is super long, already includes special characters, and is also, quite frankly, super awesome in itself!
#5 Don’t reuse passwords
Password reuse is one of the biggest problems we have and is the single contributing factor to why attacks like credential stuffing exist, where an attacker who has been able to obtain a large volume of username/passwords from a publicly available data breach, attempts to use those credentials across a variety of other websites, looking for other ways to compromise the victim.
#6 Use 2-factor authentication
Wherever you have the option to enable 2FA, do it. Like password managers, this is not a silver bullet, but if an attacker is able to obtain your username/password, using 2FA drastically reduces the chance of the attacker being able to compromise your account.