One of the most talked-about topics in cybersecurity is how to create strong passwords and manage them in a way that keeps your accounts secure. Why is password protection so important? A significant portion of security incidents and breaches occur because of bad passwords. According to Verizon’s 2018 Data Breach Investigations Report, 81 percent of all hacking-related data breaches involved weak or stolen passwords.
And a compromised account doesn’t just affect the account the password is used for. Once a hacker gains access to one account on your network, they may be able to find their way into other accounts if you don’t have security technologies and processes in place to protect them. While passwords aren’t the only thing you need to secure your network and data, they should be an important part of your cybersecurity strategy.
There are a lot of well-known, useful password recommendations out there, but there are also some misconceptions. In this post, we’ll separate fact from fiction, explore how hackers crack passwords and give you five tips for developing the perfect password.
Table of Contents
- Go Long
- Keep It Random
- Include Special Characters
- Avoid Changing Your Passwords Unless You Have To
- Use Third-Party Password Managers
- Don’t Rely on Passwords Alone
1. Go Long
Using passwords that were eight to 10 characters long used to be considered good practice. However, as password cracking methods have evolved, experts have started to recommend using even longer passwords.
Today, hackers can relatively affordably build extraordinarily powerful password-cracking tools. These tools can attempt tens of millions of password combinations every second. The shorter the password, the fewer possible combinations, and the faster hackers can guess it using one of these password-guessing tools.
The popularity of this brute force approach to password cracking means common passwords tips and tricks, such as inserting special characters, capital letters and making your password more random, are less effective. That doesn’t mean you should stop using special characters and capital letters — they’re still important for creating a strong password — but it does mean they’re not enough on their own.
In today’s world, you need to create longer passwords to keep your information secure. Current password length best practice says passwords should be at least 12 characters, but longer is always better. Every character you add makes your password harder to break.
The website Better Buys created an online tool that estimates how long it would take an experienced hacker to guess passwords using the brute force method. According to the site, here’s how long it would take to crack passwords of various lengths:
- Seven characters: .29 milliseconds
- Eight characters: five hours
- Nine characters: five days
- 10 characters: four months
- 11 characters: one decade
- 12 characters: two centuries
As you can see, adding just one character to your password makes it much harder to crack. Password guidelines from the National Institute of Standards and Technology (NIST) require that federal agencies make passwords at least eight charactersin length but recommend that they allow users to create passwords that are up to 64 characters long. A 64-character password may not be absolutely necessary, but it’s substantially more secure than a password with fewer characters.
Consider creating passphrases instead of passwords. Instead of a single word, you’ll use a phrase or sentence. Your passphrase should still be sufficiently random and use a combination of character types. While longer keys are harder to guess, a long but common phrase is still not secure.
2. Keep It Random
As mentioned in the section above, making your passwords sufficiently random is also crucial to making them secure.
Of course, you want to avoid using common passwords, including easily guessed words such as “password” and “user” as well as adjacent key combinations such as “qwerty” and “123456.” You also shouldn’t use things that are unique to you but are relatively common passwords, such as birth dates, anniversaries, names of family members, names of pets and phone numbers. These elements may not be as private as you think, and someone may be able to find them by doing a bit of snooping around online. It’s also wise to avoid common pop culture and sports references.
Even seemingly random approaches may be too obvious. For example, substituting “$” for “S” and “3” for “e” are common password-making tactics. This approach is now well-known and easy to guess. “P@$$word” is not really a much stronger choice than “Password.”
Even if you’re using a passphrase, you should choose random words instead of words that are related to each other. Listing your children’s’ names will not be especially secure, although it would be a stronger password than just the name of one of your children. For the most secure passwords, you should avoid using personal words at all in a passphrase. Likewise, a sentence from a popular book is less secure than a long string of random words.
Essentially, the more random a password is, the stronger it is. For an especially random password, you can use an online random password generator tool. There are also various methods for manually creating complex passwords. Cybersecurity expert Bruce Scheiner recommends, for example, coming up with a sentence, then abbreviating and combining the words in the sentence, capitalizing some letters and adding in symbols.
The reason is that hackers who are using a brute force method to guess a password will typically start with the most common passwords. They may use a database of common or already-cracked passwords and guess these passwords first. They may also look at common patterns of password makeup and then substitute in the information of the user they’re targeting. For instance, if a common password format is pet’s name, birthday, exclamation point, name of hometown, the hacker could try to find that information for the user in question.
As an organization, it’s useful to obtain a list of commonly used and already-cracked passwords and banning them from use. It’s also useful to place a limit on failed login attempts to help thwart potential brute force attacks.
3. Include Special Characters
Using special characters, such as punctuation marks and other symbols, has long been recommended for creating strong passwords. This guideline still holds true today. In fact, most password fields require that you use at least one symbol as well as a combination of numbers and upper case and lower case letters.
Putting special characters in the middle of the password or in the middle of words is much more beneficial than placing them at the beginning or end. Most people place their symbols at the beginning or end of their passwords, which means it will be the first format hackers try. The more randomly you can spread your symbols throughout your password, the better. The same goes for capital letters. Most people capitalize the first letter of words in their key, but capitalizing random letters makes the password even harder to guess.
It can also be helpful to opt for less commonly used symbols, such as carets, tildes and brackets if the site or software allows them. Hackers are more likely to guess common symbols such as question marks, exclamation points and dollar signs.
As mentioned above, avoid substituting symbols for letters that they look like. It’s easy to guess, for instance, that someone used “@” in place of an “a.” It’s much harder to guess a random “}” thrown into the middle of a word.
4. Avoid Changing Your Passwords Unless You Have To
A common piece of password advice is that you should change your passwords every few months or so. Companies often require their employees to follow this rule. Today, however, this practice is not recommended. According to a study from researchers at Carleton University, requiring frequent password changes makes only minor improvements to security that may not outweigh the costs.
Required password changes could even weaken security. When forced to change their password every 90 to 180 days or so, most people will resort to practices that make their accounts less secure. They may simply rehash an old password, which significantly decreases the effectiveness of changing your password. Even if companies ban password reuse, employees may find a way around it by slightly modifying an old password.
Requiring regular password changes also makes it more likely that employees will choose weaker passwords so that they don’t have to memorize a new strong password every few months. Users may also compensate by storing their passwords in insecure places, such as in plain text on their computer or in a notebook that someone could easily steal. Instead of requiring periodic password changes, organizations should focus on helping their employees make strong passwords the first time. This strategy is easier for users and may improve security in the long run.
Because of the risks of required password changes, password policy best practices from NIST now recommend that employers only require password changes if a potential threat arises or a compromise occurs. Changing passwords in this situation is crucial, as is taking other measures to eliminate the threat.
When directing users to change their passwords, employers should emphasize that they not reuse or make slight modifications to old passwords. If a hacker has an old password, they may be able to guess the new one if it’s not substantially different from the previous one. Employers should require that users instead create completely new but still strong passwords.
5. Use Third-Party Password Managers
Another option for creating strong passwords and managing your passwords for various sites and programs is to use a third-party password manager. These systems will autofill your passwords for you, which will save you from having to memorize and type out lots of passwords. Knowing that they don’t have to type out their passwords can encourage employees to make stronger ones. Most password managers will also generate long, random, complex versions for you, which makes it even more likely that employees will use strong passwords.
There are various cloud-based password management services that you can now use, including LastPass, 1Password and Dashlane. You can also use a locally hosted password management program such as KeePass, RoboForm or Password Safe. Some browsers, including Chrome and Safari, have a built-in password manager, and Apple lets you store passwords in your iCloud Keychain. These types of programs can be useful if you largely use one browser or devices from just one company, such as Apple. The benefit of a third-party password manager is that it works across numerous platforms no matter which company made it.
Most password managers encrypt and store all passwords with the exception of the master password you use to access the manager. Some password managers won’t allow you to recover your master password. You’ll need to memorize your master password or write it down and store the physical paper in a secure location. It’s important that the master password is exceptionally strong, as that is, of course, the password that protects all of your other ones.
Some password managers also include other features, such as the ability to use two-factor authentication or biometric identification like a fingerprint or Face ID to log in. They may also monitor accounts for breaches, warn you if you have any weak passwords and securely back up your passwords. In addition to passwords, some of these programs also store credit card information.
Don’t Rely on Passwords Alone
While passwords are an important part of ensuring security, they’re far from the only thing you need to keep your networks and data safe. It’s good practice to use authentication methods that go beyond passwords, such as two-factor authentication, which involves using another method in addition to a username and password to confirm identity. This other method may be a one-time code sent to a device or a unique USB token. That way, even if a hacker cracks your password, they still can’t access your account.
You can also use advanced authentication methods such as biometric identification, which includes fingerprint scans, facial recognition, voice recognition and other methods. Behavioral biometrics create a profile of how each user typically interacts with a system by tracking things such as the applications they use and how they typically use their keyboard and mouse.
Of course, not all breaches come from stolen, hacked or guessed passwords. There’s a wide range of other threats too, such as malware, ransomware, phishing, denial-of-service attacks and insider attacks. To address the many, varied risks that threaten today’s businesses, you need to adopt a comprehensive strategy. BlackStratus can help by providing state-of-the-art cybersecurity solutions. We offer three cybersecurity products — CYBERShark, LOGStorm and SIEMStorm:
- CYBERShark is a 24/7 managed security solution that enables you to build a SOC-as-a-service business without having to invest in expensive infrastructure. It provides managed security, log capture and management and regulatory compliance in a single, integrated tool.
- LOGStorm combines log management, real-time event log correlation and log monitoring and an incident response system into one powerful, flexible and cost-effective tool. It provides a reliable way to collect, store and report on security event data.
- SIEMStorm provides flexible threat visualization, migration tools across multi-tenant environments and reporting tools for various compliance standards. This premier network security solution is easy to set up and integrate with your existing network and security hardware.
To protect your data, you need strong passwords and secure password practices. You also need more than just one layer of protection. Today’s threat environment demands comprehensive, advanced security solutions like those from BlackStratus. To learn more about how we can help you protect your network and data, contact us today.
- Importance of Cybersecurity Awareness Training for Your Employees
- Data Protection for Businesses With Freelancers
- 5 Impacts a Data Breach Has on Your Business
- Breach Discovery: How Long Does Detection Take?