Strong Passwords

Guide to Strong Passwords in 2019

In this wonderful technology-centric world that we live in where there is an app for everything, passwords are still how we log in everywhere we go.  Keeping those passwords secure should be a priority if we want to keep the bad guys out of our data.  With that in mind, here is our guide to strong passwords in 2019.

Scary Statistics

Did you know that as many as 86% of users use passwords that have already been cracked?  Recent analysis indicates that to be the case.  This stems from bad password hygiene and reusing of the same passwords across multiple accounts.  When users use the same password for everything, a single breach gives hackers access to all their accounts.

The cost of a breach is escalating as well.  IBM reports that the cost of a data breach in 2019 is 3.92 Million dollars.  There has never been a greater need for security, and passwords are a great place to start.

How can I know if someone has my password?

If such a large percentage of passwords have already been compromised how can I know if mine are safe?  One great resource is https://haveibeenpwned.com/.  This is a website that has been created by security expert Troy Hunt to serve the public.  It essentially aggregates the data of all the major breaches that have happened in the last few years and gives users the ability to simply input their email address and see if they’ve been breached.

This can be a great place to start.  If you see that a password you’ve used has been breached, you should act immediately to reset it.  You should also look across all the accounts to see if that password has been used anywhere else.  Best practices dictate that you don’t reuse passwords, but our experience indicates that users frequently use the same passwords across all accounts.  Check this out and make the changes immediately.

Password Myths

There are several myths about passwords and how to make a strong password that have been perpetuated over the years.  I’ll try to correct a some of them here.

  1. Strong passwords need to have high complexity with letters, numbers and special characters

This is one of the most common and persistent myths about creating a strong password.  The idea has been reinforced over the years by various organizations that have password complexity requirements.

Like most myths it does have a grain of truth to it.  It is true that additional password complexity in the form of numbers and special characters does make a password stronger.  However, the gains from this is minimal.

The complexity requirements can cause issues with some users as well.  The difficulty of remembering complex passwords with special characters makes some users resort to insecure methods of password storage such as sticky notes on monitors.  This type of “password storage” negates any advantages that the password complexity requirements may have added.

NIST (The National Institute of Standards and Technology) released some guidelines for passwords best practices recently and actually recommend against enforcing password complexity at a network level.

  1. Passwords must be reset every 3 months

This one has been around for a while as well.  Many companies have policies that make their users change password every few months.  While this may seem like a great idea on the surface as it would limit the damage of a cracked password, most password exploits happen immediately.  This makes a change every 3 months moot.

In addition, this practice can cause users to make lousy passwords.  Since it’s too hard to remember a new password every few months they resort to making iterations of the same password by simply adding a number to the end or something similar.  This caused NIST to get rid of the recommendation to reset passwords frequently in their best practices.

Making Strong Passwords

Sometimes size does matter.  Passwords are a good example.  Since most password attacks are brute force (meaning they have a program that tries every possible combination of letters and numbers) the more characters you have in your password the harder it is to crack.  In fact, the difficulty will grow exponentially with more characters.

If you take this into practical usage the idea of a passphrase comes to light.  Using a simple phrase with no complexity but a longer length can be a practical way to create a memorable strong password.  Typically, this would be a combination of several words of at least 12 characters in length.

A password with 9 characters will typically take about two hours to brute force crack.  A 12-character password can bump that figure up to 200 years.  Longer is better.

In addition to length watch out for common passwords such as password, 123456, iloveyou, etc. and seek to make your password unique.  Avoid common phrases or well know quotations.  It’s also a good idea to avoid using personal information such as address, social security number, or any combination of such as your password.  This can not only make it easier to crack your password, but potentially give the bad guys additional valuable information about you.

How to Check Password Strength

A great resource we’ve found that helps you verify that your password will get the job done is How Secure is my Password.  This allows you to simply type in a potential password, and it will indicate strength in the time it would take a brute force attack to crack it.  Check out that resource to make sure that your password is up to snuff.

2 Factor Authentication

Two factor authentication can add to the security of your strong passwords, and we recommend using it whenever possible.  There are a couple forms that you will see.

One of the most common is a text with a code to your cell phone.  You then put the code into your login to gain access.  This is better than just a password and can add a layer of security.

An even better method is to use an application on your phone such as Google or Microsoft authenticator apps.  These applications provide a rotating code that refreshes every 30 seconds.  They also add protection against SIM hijacking that you don’t get with text verification.

2FA is a great tool in any form and we recommend using it whenever possible.

In Summary

The guys at fleetsmith put together an amazing comprehensive guide on strong passwords.  Here is their summary of the recommendations we’ve been through.  Please check them out if you want additional detail on anything mentioned here.  Here is their condensed guide:

  • How long should my password be? 10 characters long, minimum, but make it as long as possible. Length is the most important factor to strength.
  • Does my password need special characters to be strong? Nope.
  • Does my password need numbers to be strong? Nope.
  • What about switching numbers for letters(1337 speak)? This does nothing.
  • How often should I change my password? Only change it if you think it’s been compromised. Never force users to rotate passwords, this actually lowers security.
  • Can I use the same password on multiple sites? Absolutely not. Every service should have its own unique password so that you don’t have to change all of them when (not if) they get breached.
  • How can I remember my password? Don’t try to remember your passwords, use a password manager. If you don’t want to, write it down. If you have to make a long, memorable password, use the diceware method. But never reuse a password.
  • What about two-factor authentication? Always turn on 2FA if it’s an option. Use the strongest 2FA method you can. A text message is weaker than an authenticator app is weaker than hardware-based authentication. Never give a service your phone number if you can help it.
  • What about password recovery questions? Don’t give honest answers to these. For maximum security, generate a secondary random password for each question and store it in your password manager.

We’re here to Help

As always, the team at i.t.NOW stands ready to help.  Feel free to reach out to us with any of your network security questions, and we can help with professional recommendations on how to keep your data safe.