Let’s talk passwords

Secure your data to the best of your abilities…

TL;DR:

Length > Complexity when coming up with a password

Use a password manager

Choose a unique password

There’s a lot of information and misinformation going around about passwords. In fact, creating strong passwords are pretty simple and straightforward. In this post I’ll try to wade through the BS so you can feel more at ease keeping your data safe on any platform.

Before moving forward, I have to add that a lot of the guidelines can be found online on the NIST website. I am going to do my best to remain completely objective so we have end users walking away with solid support for their data protection journey.

Let’s start by looking at a cartoon:

XKDC cartoon about passwords

This cartoon sort of encapsulates the bulk of password security. We can begin breaking the comic down. But, first…

How it WAS

How it used to go was, the IT team would set some guidelines for a business/team. Everyone had to have a password of N characters, which consisted of alphanumeric characters and at least one symbol. On top of that, the passwords expired after 60/90 days. Seems secure right? If the target is always moving then it’s tough to get hit? In theory this was great, but one of the biggest vulnerabilities in cybersecurity is the human element.

So you’d set your password (Asdfgh734&) and then after 60/90 days, you need to come up with a new ‘random’ password. The problem with this is, humans are pretty bad at picking anything at random. So what usually happens is the end user would choose a variation of their old password, because they’re just gonna have to change it again on 60/90 days.

This method has since fallen out of favor, and for good reason. Humans are lazy, and we have technology that can execute these complex tasks, and they do it well.

Good Password Hygiene

Password hygiene are essentially just some guidelines on what you should do to make sure you’re getting the most security out of your passwords. They’re pretty straightforward and don’t require you to be a tech genius. So let’s go over some of them:

1. Length of the password is more important than complex passwords.

For a long time it was said that a long, complex passwords like #`0M’8psdq5<)u:1uOW? were optimal. While this can be a secure password, it introduces a lot of risk due to it not being easy to remember. So the end user is at risk of forgetting this password (use a password manager). To fix this, pass phrases are now recommended. Passphrases would just be a series of words (ideally, chosen at random) strung together. Passphrases provide both entropy and length of password. Complex passwords like the example above, unless input in a password manager, will most likely be written down by the end user. But, a passphrase can be remembered as its just a series of random words.

2. Use a password manager.

Instead of trying to remember or write down multiple complex passwords, you could consolidate them and only need to remember one master password. Password managers offer that functionality and then some. Almost all password managers offer the same services: Encrypted storage of all passwords using Sha-256, random password/passphrase generation and the ability to autofill with most popular browsers via extensions/add-ons.

3. Use unique passwords.

Using long passwords and passphrases really do not matter if you are using common words. Dictionary attacks are a common way hackers access sensative data for unsuspecting victims. This is possible by using common permutations of passwords and passphrases. Qwerty123! would pass a lot of tests for password requirements, but odds are that it’s already in a list of leaked passwords, so any hacker worth their weight in salt will knock that down in a few minutes (maybe seconds). Also, avoid using ANY personal data when building a password/passphrase, anything that can be tied back to you can and will be included in the dictionary attack.

In conclusion, following the guidelines laid out by professionals will ensure that your personal data remains safe. In later articles we will discuss how to further strangthen your cyber fortress using things like: MFA(multi factor authentication), compartmentalization etc.