We are all familiar with passwords. A typically annoying to type in combination of letters, numbers, and symbols that when entered in the correct sequence, grant access to your account. It’s a simple premise, but compromised passwords happen all the time. Without the right strategy for creating, storing, and updating passwords it’s only a matter of when, not if, a password belonging to a service important to you or your business is compromised too.
Avoiding this fate is simple:
- Make your passwords a long as possible. Make them as long as the website will let you.
- Don’t use the same password anywhere else. One website, one password. No exceptions.
- Use a password manager to help make passwords, keep them safe and access them on all your devices.
Easy! End of blog really. But if you’d like more detail and explanations for why this is the current advice, read on.
A Long Password Is A Good Password
8 characters, upper case, lower case, a number, a special character, a headstand and two sacrifices to the password God used to be (and still is in some places) the requirement for new passwords. The goal was to add in as many weird characters as possible to avoid the easy guessing of a password by a hacker and they were a pain in the arse to comply with.
The USA's National Institute of Standards and Technology (NIST) recognises our pain in SP 800-63B - the US federal government's cybersecurity bible - stating "these rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed". The more difficult it is to make a password, the more predictable (i.e: easy to guess) people make their passwords. Taking NIST’s recommendation, a longer, but easier to remember password is better than a shorter, but complicated password.
However, NIST doesn't explicitly recommend a certain length of password. Their advice is simply "least 8 characters in length". But are 8 characters enough? To answer that question, you need to understand a little about how passwords are stored on a computer.
Your password is kept in a big list with everyone else's in a database or file. Ideally that database or file is encrypted with a special code so if anyone steals it, they can't just open it up and look at everyone's passwords. That special code is called a "hash" and there's various techniques for creating them. You don't need to understand it, but they have names like MD5, SHA-1 to SHA-3 and bcrypt, should you ever come across these terms.
Modern computers excel at guessing these hashes with a technique called "brute force". As the name implies, they use all the computer's power to guess the code that unlocks the passwords. It's like attempting to find someone's phone number by calling every single combination of digits starting with 0000-000-000, then 0000-000-001, 0000-000-002, 0000-000-003 and so on until you get the number you're looking for.
To put into perspective how quick computers are at brute forcing passwords, if your 8-character password with uppercase and lowercase letters (an uppercase A is a different letter to a computer than a lowercase a) is hashed using the weak but still used MD5 method, it'll be chewed up and spat out by a basic computer, not even a powerful one, in just 22 minutes. With the stronger bcrypt hashing method, on the most powerful computer available outside of a research lab, with same 8-character password, the time blows out to 2 years. Visit https://www.security.org/how-secure-is-my-password/ and pop in some text, it will tell you how long it will take to crack the hash and figure out what the text is.
So, 8 characters is enough, yeah? No! How do you know the system your password is stored on is using modern hashing techniques? Apple, Microsoft, and Google are probably using the latest and greatest security methods, but is your supplier, who you have no choice but to trust, stuck in the past? Computers are also getting faster every few months and new techniques for password cracking appear regularly. It might take 2 years to crank out a password now, but that could drop to a weeks or days in just a year or two.
Because of all these unknowns, the best advice is to make your password as long as the website or application allows. The longer the password is, the harder it is for a person or a computer to guess, and the more future proof it is against hackers who steal passwords now then figure out how to read them later.
Every Password Is Special
Having an incredibly long password is good and all, but if you use that password everywhere you're increasing the chances of it getting discovered. It only takes one poorly secured website or application to get compromised and suddenly, every single place you've used that password is vulnerable.
A hacking technique called "credential stuffing" uses automated tools to try a password gained via one source on other websites and apps. Hackers just let a computer rip trying to log in with that password they stole from one site on every single site they can think of.
Imagine if you used the same password for Gmail as you do for Facebook and you unfortunately get phished via a very convincing email warning of account closure if you don’t respond, for your Gmail password. The hacker then tries the Gmail password they just stole from you on Facebook and now has access to Facebook and Gmail. A minor inconvenience is now a colossal headache.
Hackers share and sell their loot with other hackers. By combining their data, they can crossmatch a user over various websites and businesses involved in a data breach. The businesses operating these services should really tell you they've been breached and prompt you to change your password, but often they don't even know they’ve been breached, or if they do, try and keep it secret.
You can check if your account has been exposed via a free website called Have I Been Pwned. Enter your email address and it will tell you if you're involved in a data breach. If so, you can change your passwords before any damage is done. Provide your email address to Have I Been Pwned ahead of time, and they'll notify you if there's a fresh data breach your email address appears in. It’s a very useful and free service!
The easiest way to avoid all this drama is to make sure whenever you register for a new service give it a unique password. Don't be lazy and use the same one somewhere else. A unique and long password, every, damn, time.
Regular Password Rotation Not Required
Unlike the tyres on your car, you no longer need to rotate your password regularly. Changing a password every 30/90/120 days used to be common advice and made mandatory by many software products, but the USA's National Institute of Standards and Technology (NIST) and Microsoft, no longer recommend this task many of us begrudgingly did every few weeks.
Microsoft provides the following sage advice: "Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them". Couldn't have said it better, thanks Microsoft.
Should passwords ever be changed? Yes, there are times when a password change is worth it. If you're in a situation where there's even the slightest hint of compromised password (suspicious activity on an account, a vendor tells you they’ve been compromised, etc.), it is recommended to change it. If a hacker does manage to decode the encrypted password file, the fruits of their labour will be rendered useless as the password is now different.
Fingers, Faces, Voices and Eyes Can Be Passwords Too
Sometimes passwords are not words, but are what nerds in the industry call “biometrics”. Some examples of biometrics include:
- Voice matching
- Palm prints
- Facial recognition
- Retina scan
Biometrics are gaining popularity because the hardware required to capture this information is more accurate and cheaper than ever,
plus unlike a password, it's difficult (but not impossible!) to forget your own face or fingers. While they can be used as passwords
alone, the most common use for biometrics is in conjunction with your existing password as a multi-factor authentication method or as a
shortcut to speed up access to lower security areas, with a password required for access to important features.
We will cover biometrics in more detail in another blog, but it's important to know that using biometrics, as convenient as they are, can put sensitive information at risk and are not recommended as the sole method of securing a device or account. Relatively simple attacks like high resolution images, audio recordings, latex gloves and even masks can fool basic sensors found on most consumer level devices. These types of attacks may be easier for a hacker to successfully carry out than a strong, unique password.
A Password Manager Is Essential
If you're following this blog’s advice you should have a whole heap of super long unique passwords. Keeping them in a document on your computer, writing them down on a piece of paper, or even worse, a post-it note stuck on your desk is very, very bad. The solution to this problem is a password manager.
Password managers are applications available for desktop, mobile and on the web, designed to help make your passwords truly random and store them securely with strong encryption so nobody else sees them, even if they have access to your device. There's plenty of good options on the market:
All have cloud functionality that allow for easy synchronisation of passwords between your desktop, laptop, smartphone, and tablet, automatically making them available any time, anywhere. There’s no need to type in your long, complicated passwords by hand each time you log in, as password managers include browser extensions that automatically fill them in for you. They’ll also generate super strong passwords for you and store them in one click.
Access to the contents of your password manager is guarded by its own password, called a master password. It should be a strong password because it's the key to all your other passwords and needs to be a memorable password as unlike your other passwords you need to type it in manually. The best practice is to create a "passphrase". They’re like passwords, but something human can read and understand, making them easy to remember. The phrase "sniffle-typical-sushi-cranny" is much easier to remember and type than a password like "Wi,3q]gKa", but is just as secure due to its length.
Do not forget your master password as there's no way to get it back! If there was, it would be a gaping hole for hackers to take advantage of. The popular 1Password password manager for example, generates an Emergency Kit containing your username, secret key and master password for easy printing when creating your 1Password account. They recommend making multiple copies of this document and keeping one in a safe place (where you might keep your passport or birth certificate), keeping a PDF in your personal cloud storage (OneDrive, Google Drive, Dropbox, etc) and giving one to someone you trust (like a spouse or whoever stores your will). This is also a good idea for business continuity should you become injured or die.
Apple devices have a built-in password manager called Keychain and recently added a feature called iCloud Keychain that allows synchronising passwords between your devices. It works best on Apple devices, but Apple does provide a Chrome extension that'll work with the iCloud app for Windows to get your Keychain into Chrome. Google and Mozilla have built-in password managers in their Chrome and Firefox browsers respectively, but they are very basic and lock you in to that specific browser.
Vendor provided options can be easy to use as they're baked-in to your device or web browser, but a dedicated password manager like 1Password or LastPass is strongly recommended due to their ability to be used for all password and sensitive information (credit cards, verbal passwords for internet banking etc.), not just those in a web browser or on a single brand of device. They also avoid a single point of failure. Should someone gain access to your iCloud or Google account, they’ll also have access to the passwords to all your other accounts.
In a multi-employee business environment, it is recommended to keep personal passwords and work passwords separate. Most password managers
allow for different “vaults” to keep various passwords separate (i.e: a personal vault and a business vault) and have useful
business-centric features when you pay extra for their enterprise/business plans:
- Role-based access to passwords so people only get access to what they need.
- Easy auditing of password quality to meet any professional or legal standards.
- Creation and deletion of access to passwords based on company wide employee database (i.e: SAP/Active Directory).
- Single sign-on (SSO) so employees don't have to log in to password manager separately.
That rounds up our blog on Password Management, feel free to check out our other blogs on The top 5 techniques used to hack your password or must haves in a personal Password Manager or call us on 1300 778 078 to discuss how we can help implement a cyber security strategy for your business.