The Only Password Advice You Need
This blog pist was updated on Jun 14, 2024
It was originally published on Jan 1, 2023
In this blog post, we take a closer look at passwords, discussing common password advice that is wrong, how they have evolved over time, password best practices, and what the future of passwords looks like.
Common Password Advice That Is Wrong
One of the common password-related frustrations that all employees suffer is having to change passwords regularly. To add further to the frustration, you aren’t allowed to use older passwords and are forced to create weird words that include special characters and numbers. And employees are expected to do this for dozens of accounts and applications.
However, many experts now believe that there’s no reason for passwords to expire. A strong password doesn’t suddenly become hackable after an arbitrary period of time. So people don’t need to be asked to change passwords unless their account has been compromised.
Another piece of password advice that experts believe to be wrong is the belief that complex passwords are more secure. New recommendations from the National Institute of Standards and Technology (NIST) encourage the use of “long, easy-to-remember phrases”, or passphrases.
Let’s also take a look at some of the commonly accepted password best practices
Common Password Best Practices
Here are some password best practices that can help you create strong and secure passwords:
Use a long password:
The longer the password, the stronger it is. A password should be at least 8 characters long, but ideally, it should be longer.
Use a mix of upper and lowercase letters, numbers, and symbols:
Using a mix of different characters makes your password more difficult to guess.
Avoid using easily guessable information:
Don't use personal information (such as your name, birth date, or address) or commonly used words in your password.
Don't use the same password for multiple accounts:
If a hacker is able to guess or obtain one of your passwords, using the same password for multiple accounts gives them access to all of those accounts.
Use a password manager:
A password manager is a tool that helps you generate and store strong, unique passwords for all of your online accounts. This way, you only need to remember one master password to access all of your other passwords.
Enable two-factor authentication (2FA):
In addition to a password, 2FA adds an extra layer of security by requiring you to enter a code that is sent to your phone or email. This makes it much more difficult for a hacker to gain access to your account, even if they have your password.
But what led to the adoption of these as best practices? To understand this, we’ll need to look at how passwords have evolved over the years.
Evolution of passwords
The use of passwords has significantly evolved over the years, starting from simple, static passwords to more complex and dynamic ones used today. This has been largely driven by the growing use of hacking tools and techniques that can easily crack simple, static passwords.
Simple Passwords
Simple passwords are short, easy-to-remember strings of characters that are commonly used to protect access to accounts, devices, and information. Simple passwords are typically made up of dictionary words or personal information that is easy for the user to remember.
There are a few potential benefits to using simple passwords. One potential benefit is that simple passwords are easy for users to remember, making them more convenient to use. This helps improve the usability of the authentication system and reduces the risk of users forgetting or losing their passwords. Another potential benefit is that simple passwords are easy to type or enter, which is useful on devices with small keyboards or touchscreens.
Unfortunately, such passwords are also easy for an attacker to guess or hack. Many hacking tools and techniques are designed to quickly guess or crack simple, static passwords, making it easy for an attacker to gain access to a user's accounts or information. Another potential disadvantage is that simple passwords are often reused across multiple accounts, which makes it easier for an attacker to gain access to multiple accounts using a single compromised password.
While simple passwords may be convenient to use, they are not secure and should be avoided in situations where security is a concern.
Complex Passwords
Unlike simple passwords, complex passwords provide stronger protection and help improve the security of accounts, devices, and information. against guessing attempts. Complex passwords that use a combination of letters, numbers, and special characters are much harder to guess than simple, static passwords that use only dictionary words or personal information.
Complex passwords are also more resistant to hacking tools and techniques. Many hacking tools and techniques rely on the ability to quickly guess or crack simple, static passwords. By using complex passwords, users can make it much more difficult for attackers to gain access to their accounts.
Overall, the use of complex passwords provides stronger protection against guessing and hacking attempts. But they also present challenges in terms of usability and password management.
Most websites and online services now require users to create complex passwords and to regularly update them. In addition, the use of two-factor authentication (2FA) has become an important tool that adds an additional authentication step and an added layer of security.
Another important driver of better passwords and account security is the increasing security needs of organizations. The growing focus on data security and privacy has led to stronger regulations and greater security expectations from organizations. More organizations are now seeking compliance certifications such as SOC 2, PCI DSS, etc. that mandate better password hygiene and adoption of multi-factor authentication.
An equally secure alternative to complex passwords is a passphrase.
Passphrase Vs Complex Passwords
A passphrase is a longer version of a password that uses a combination of words as well as numbers, and special characters to create a unique authentication credential. Passphrases are often easier to remember than complex passwords because they use a combination of words and phrases that are meaningful to the user. For example, a passphrase might be a sentence or phrase that the user can easily remember, such as "I love my dog Bolt" or "There is a Yellow Horse on my desk."
Compared to complex passwords, passphrases have several potential advantages. First, because they use a combination of words and phrases that are easy to remember, passphrases are easier for users to remember and use than complex passwords. This helps reduce the risk of users forgetting their passwords and improves the usability of the authentication system.
Second, because passphrases are longer and more complex than simple passwords, they provide stronger protection against guessing or hacking attempts, improving account and device security.
However, there are also some potential disadvantages to using passphrases. One potential disadvantage is that passphrases may be vulnerable to dictionary attacks, where an attacker uses a pre-computed list of words and phrases to try to guess the passphrase. But this vulnerability can be alleviated by introducing a few strategically placed numbers and symbols in the passphrase.
Another potential disadvantage is that, because passphrases are typically quite long, they can be difficult to enter on devices that have small keyboards or touchscreens.
Password Length, Complexity, And Time To Crack
In general, the longer and more complex a password is, the more secure it will be. A long password that uses a combination of letters, numbers, and special characters is much harder to crack than a short password that uses only dictionary words or personal information.
Here’s a table showing how long it usually takes to hack a password, based on its length and composition:
However, there are also some potential drawbacks to using complex passwords. Difficulty in remembering complex passwords. Because complex passwords are long and more difficult to remember, users may have trouble remembering them, particularly if they have multiple complex passwords for different accounts. The increased forgetting of passwords increases the workload on the IT helpdesk, which has to regularly reset passwords.
Another risk of complex passwords is that users tend to memorize a single complex password and reuse it across multiple accounts and services. Some users may also write it down and store it somewhere accessible. Such actions put the security of the accounts at grave risk.
To address these drawbacks of complex passwords, software called password managers came into the picture.
Password Managers
Password managers are software tools that take away many of the pain points associated with creating, remembering, and using complex passwords. These tools typically store passwords, as well as other sensitive information such as credit card numbers, bank account information, and security questions in a secure, encrypted database. They also include features such as automatic password generation, password sharing, and password synchronization across multiple devices.
So, password managers handle tedious tasks such as
coming up with strong passwords,
remembering the passwords and associated usernames, and
filling web forms.
Using a password manager can help improve account security in several ways. First, password managers help users create and store strong, complex passwords for each of their accounts, without having to remember them all individually. This can help prevent the use of weak, easily guessed passwords.
Second, when using a password manager, users are much less likely to reuse passwords across multiple accounts. This helps prevent attackers from using a single compromised password to gain access to multiple accounts.
Another, not-so-obvious, benefit of using password managers is that if you ever land on a fake or spoofed website, your password manager will not fill in your credentials on the spoofed login page.
However, the evolution of passwords hasn’t stopped as users and organizations continue to seek more secure ways to protect their accounts and information.
Methods Of Authentication
In addition to passwords, there are several other forms of authentication that can be used to protect access to accounts and devices. Some of the most common forms of authentication include:
Two-factor authentication (2FA), which requires users to provide two different forms of authentication in order to access their accounts. This can include a combination of something the user knows (such as a password), something the user has (such as a security token or key), or something the user is (such as a fingerprint or facial recognition).
Biometric authentication, which uses unique physical characteristics, such as a fingerprint, iris, or facial recognition, to verify a user's identity.
Security tokens and keys, which are physical devices that generate one-time codes or keys that can be used to access accounts or devices.
Smart cards, which are physical cards that contain a chip or other device that can be used to verify a user's identity.
Single sign-on (SSO), which allows users to access multiple accounts or services using a single set of credentials.
Each of the above forms of authentication has its own strengths and weaknesses, and the appropriate method used will depend on the specific security needs and requirements of the organization.
Future of Passwords
Most of us own an ever-expanding stack of tools and applications and managing the username-password combinations for all of our accounts is cumbersome, to say the least. In addition, passwords are not the most secure form of authentication as they are prone to phishing, data breaches, social engineering, and hacking.
Thankfully, recognizing these inherent weaknesses of passwords, tech giants such as Apple, Google, and Microsoft are working to kill off passwords, bringing an era of passwordless sign-in. Many iPhone and Android users are already familiar with facial scans and fingerprint authentication for unlocking devices and making digital payments.
Soon, these same principles will be applied across major platforms including Android, Windows, iOS, macOS, and internet browsers, enabling users to sign in to their accounts and applications using the same actions required to unlock their devices.
Passwordless sign-in is more secure against threats such as phishing attacks and data breaches since it ties login credentials to a combination of a physical device and a user's unique attribute such as a facial scan or a fingerprint.
How Does Passwordless Access Work?
The first time you sign up for a new service, the service sends a request to your device. You approve the request by unlocking your device. This approval generates a “passkey”, which is stored on your device, and a public key is sent to the service. For subsequent sign-in requests, the service sends a request to your device, and your facial scan or fingerprint unlocks the passkey, granting you access to the service or account.
Although it may appear that your login credentials are tied to your device, the passkey is securely synced to your cloud backup. So even if you lose your phone, you will still be able to access your accounts once you sync your new phone to your cloud backup.
Conclusion
Passwords are the most common form of authentication used to protect access to accounts, devices, and information. However, passwords have always had flaws and are vulnerable to phishing, data breaches, and hacking. Over the years, they have undergone significant changes, starting from a simple string of characters to the complex and dynamic passkeys of today.
New security measures such as complex passwords, passphrases, 2FA, etc. have ultimately led us to passwordless access. But until passwordless sign-in becomes the norm, we need to follow the latest security best practices to keep our account secure.
Are all your accounts, devices, and information adequately protected? Does your organization have a robust password policy? Have you implemented all common password best practices? Click the button below to schedule a call with our security experts about improving your password management and security.
If you liked the blog, please share it with your friends