Despite recent advances in authentication technologies, traditional passwords are still the way users log into most services. That’s why it’s so tragic that so many people use terrible passwords. According to a recent analysis, 86% of users use passwords that have already been cracked.
There is so much outdated, misleading, and just plain wrong information about passwords floating around on the Internet that it isn’t surprising so many people choose bad passwords. Yet companies cannot afford to be complacent. With the average security breach now costing companies $3.86 million, you need to cut through the noise and deliver good information about password security to your workforce.
We want put to rest some of the most persistent falsehoods about passwords and talk about what it takes to come up with strong passwords and practice good password security in 2020.
Want the strongest password and the best password security in 2019? Here's the guide condensed:
Some of that might seem counter-intuitive, but it's backed by facts and based on current best practices. Read on to find out why!
Here are some of the most common misconceptions about passwords:
So what actually does matter? The good news is strong password generation is a lot simpler than most people think. The bad news? A big part of it is completely out of your control.
The most important factor in password safety is how they’re stored.
Passwords should be stored in an encrypted format using strong cryptographic algorithms. If passwords aren’t encrypted, then the only thing protecting them is the company’s ability not to be breached in the first place. (Which, if they are still storing passwords in cleartext, is not something users should have confidence in.)
There are techniques that secure companies use to make a password harder to crack. Chief among these is a cryptographic salt. A salt is a random string of characters appended to your cleartext password before it is run through an encryption algorithm, artificially increasing its length. A good salt will increase difficulty of most passwords, making them stronger against brute-force attacks using common password cracking techniques like dictionary attacks and pre-generated rainbow tables.
All salts are not created equal. The weakest technique, but also the most easily implemented, is to use the same salt for every password. While this does offer some protection, the problem is that a given password will generate the same hash every time. This makes it easy to reverse engineer the salt. Once attackers have the salt, they can use it to create a custom rainbow table that will easily crack the passwords in that database.
A more secure method is to use a different random salt for each password, but this makes encrypted password generation more difficult, which is why some organizations don’t use this method. Unfortunately, its impossible to tell how an service stores passwords from the outside, so it’s hard to make an informed decision about this.
There is a lot more to this topic, and we don’t have room to get into the nuts and bolts of secure password storage here. If you happen to be in charge of security at a company and you want to do a good job of storing your users’ passwords, the Open Web Application Security Project Password Storage Cheat Sheet is a good place to start.
If you aren’t in charge of password storage, here’s the main thing you need to know:
Password difficulty scales exponentially with each additional character. This means that it doesn’t take that many to make a dramatic difference in your security.
For example, a password that is nine characters long will take about two hours to brute force on average with modern computing resources. Adding just a single character to this password length increases the time to brute force to one week, everything else being equal. By the time you get to 12 characters, it should be able to withstand an attack for about 2 centuries.
So how long is long enough? It depends on your level of paranoia, but in a well-encrypted and properly-salted database, ten characters are likely enough to defeat a majority of attackers. If you’re using a password manager (more about this later), there’s also no drawback to using an even longer password.
As we saw earlier, an exposed password will be used to attempt to get in to all your accounts. That means password reuse is always a bad idea, because in the event of a breach it will be necessary to change the password everywhere it was used (If you can even remember everywhere you used it). If every password is unique, then there’s only ever one password that needs to be changed.
However, you shouldn’t use anyone else’s password either. Passwords that get stolen during a data breach will often be released publicly once the hacker is done with them. So they’ll eventually get added in one of the common dictionary lists that hackers use to streamline password cracking attacks.
This means you should avoid using any of the most common passwords, alone or in combination. It also means you should be wary about using a phrase that you’ve seen in print somewhere, like a Bible verse or a quote from your favorite athlete. Although this is easily remembered and will likely get you to the right length, there’s a greater chance that somebody else has already used this password and burned it.
To recap, the ideal password is at least ten characters long, stored securely, and completely unique. Easy, right?
Well, okay, not really. That probably still seems more inconvenient than using “letmein” for everything, and it is—if you try do it on your own.
Fortunately, there are now many techniques and technology products to help you strengthen your password security. In fact, if you use them right, having good security practices can actually be easier than doing it the wrong way.
There are a number of password managers on the market, and they all work about the same. Password managers allow you to have one really strong password used to unlock a well-encrypted password vault that stores random, strong passwords for the rest of your accounts, rather than having to create and remember them all on your own. This makes it really easy to have a secure, unique password, and also ensures that if you do get breached, you only have to make one change. Some password managers will even alert you whenever there’s a breach at a service that you use. Handy!
You might be thinking that using a password manager means creating a security bottleneck. If attackers can compromise the password manager, than they will have access to all of your passwords. This is true, but it also misses the point.
Unlike many of the services you trust with your password, you can have at least some expectation that a password manager is doing everything right to protect you, including following best practices for password storage and encryption.
As long as you follow the recommendations for establishing a strong master password, your risk exposure is minimal. And you will certainly be safer than you would be without a password manager, if the alternative means reusing passwords or resorting to shortcuts.
Two-factor authentication is a great supplement to passwords. By requiring a one-time PIN in addition to your password, 2FA adds another step to the process of compromising your account. While there are some ways to bypass 2FA, they’re not techniques that can easily be automated. This means that any level of 2FA is going to rule out all but those attackers that are targeting you specifically, which is a much smaller pool of potential attackers.
It’s important to remember that 2FA does not make your password invincible, however. You’re still quite vulnerable to phishing campaigns and social engineering attacks.
In particular, you should be wary of text message-based 2FA, which is still the most widely supported types. While it is far better than nothing, it can be bypassed through SIM hijacking, an increasingly common type of attack.
App-based 2FA solutions such as Google Authenticator or Microsoft Authenticator protect against these attacks, so they should be your go-to for any service that supports them. Some password managers like 1Password will even do 2FA for you, letting you keep everything in one place and making it easier to change phones without disruption.
The strongest form of 2FA is hardware-based, such as Yubikey, which requires a physical token be present to authenticate the user. This may feel like overkill for most users and use cases.
One often overlooked weakness in many password setups is the security questions used to reset forgotten passwords. The answers to these questions tend to be short and not very complex, making them weak to brute force attacks. Yet many attackers won’t need to resort to brute force because this information is often guessable based on info about you that is publicly available online. The name of your first school or your first pet might have been private when companies first started adopting these security questions in the 70s. In the age of Google and oversharing on social media, it’s no longer a safe bet.
Rather than answering honestly, you should treat these questions as secondary passwords and generate strong, unique strings for them that you store in your password manager. It may seem odd to say that your father’s middle name is R-qM5\f#..^bSp+g, but it will prevent hackers from exploiting a password reset vulnerability to steal your account. If you’re using a password manager, you likely will not need to use these security questions anyway.
While security is complicated and the Internet is a scary, dangerous place, it turns out that password security is actually pretty simple. If you use a password manager, use a unique, ten-character-minimum password for every account; turn on 2FA, and treat password reset questions as secondary passwords, you’ll be far ahead of the game.