As our lives increasingly move online, passwords are a more critical and ever-present part of what we do day-to-day. Yet, tech experts say, most users are really bad at creating effective passwords. The evidence of poor password management is plain to see as major data breaches occur more and more frequently.
According to a study conducted by Verizon, 63% of data breaches involved leveraging default, weak or stolen passwords. When it comes to complex networks and online environments, just one cracked password has a quickly cascading effect. The 2012 data breach at LinkedIn was caused by a Russian hacker who used one weak password to expose 6.5 million encrypted passwords. Several years later 117 million email addresses and their password combinations tied to LinkedIn users were for sale on the black market.
The impact of a data breach depends largely on how much time passes between the breach and the discovery of the breach. In the same report, Verizon said 93% of data breaches happen within minutes but 85% of them are not discovered for weeks. That’s long enough for hackers to install malware to extract sensitive information, launch phishing attacks from within your network, and steal credentials that allow them to further penetrate your supposedly secure network.
However, despite an overall lack of effective password management, no one has yet come up with a better way to protect online information. For better or worse, it looks like passwords are here to stay. Here are some good rules to follow for secure, effective password management.
How to create stronger passwords
Of course, the best first step to effective password management is creating the strongest password you can. And it’s probably easier than you think. First, some don'ts. Don’t choose passwords with personal details that would be easy for someone to find out, such as your birthday, address or social security number.
Don’t use words that can be found in the dictionary. Readily available password cracking software includes dictionary lists with thousands of password variations using common names and words. And don’t use the same password for multiple sites; in particular, your email password and online banking password should always be different from any other passwords you use.
So what things should you do to create stronger passwords? The very best passwords are both easy to remember and hard to guess. Many IT security experts recommend thinking of a phrase that’s meaningful to you, such as “I hope the Seattle Seahawks win the Superbowl in 2018!” and then distilling it into a password using the initials of each word and the numbers and characters.
In our example, the password would be IhtSSwtSi2018!. The password appears to be a meaningless jumble of letters, numbers, and characters, making it difficult to crack, but since it’s derived from a meaningful personal phrase it’s easy for you to remember.
Length is also a better predictor of password strength than complexity. The best passwords are usually between 12 and 15 characters. And passwords with the special characters and numbers spread throughout the middle of your password are safer than passwords with the special characters concentrated at the beginning or the end.
Lorrie Faith Cranor, Chief Technologist at the Federal Trade Commission, told Wired: “Most people put capital letters at the beginning and digits and symbols at the end. If you do that, you get very little benefit from adding these special characters.”
Tried and true rules for password management
Many of the most critical rules for password management don’t have anything to do with creating a secure password at all, but rather relate to how you store and protect your password once you have it. Here are some precautions you should take with every password you use.
- Keep it secret. This is probably the first thing most of us learned about passwords. Don’t write it on a sticky note and attach it to your computer monitor. Don’t store all your passwords in a Word document on your desktop. And never, ever share your password with anyone. And yet, a survey conducted by password management company Lastpass found that 95% of people share up to six of their passwords with other people. The majority of them are WiFi and TV or streaming service passwords, but a full quarter of respondents said they share work-related passwords with others.
- Don’t double dip. Another cardinal rule of effective password management is to never use the same password for more than one site or network. Unfortunately, this is another rule that the majority of online users—59% according to the Lastpass study—also ignore. Reusing passwords carries significant risk for personal data in particular. If a hacker cracks your Netflix password and it’s also your bank account password, significantly more than your movie list could be at stake.
- Consider multi-factor authentication. Passwords are good, but passwords protected by other layers of security are even better. If you use a service that offers multi-factor authentication, take them up on it. The most common method is to receive a text message or email with a code you need to type into a site in order to prove it’s really you accessing it. For a device you use often—in others words, a “known device” such as your cellphone or laptop—you only need to authenticate it once. Adding fingerprint identification when available is another way to add more security to your password.
What’s new in password management
As hackers get more sophisticated, so does effective password management. IT professionals are constantly reviewing lessons learned and updating guidelines for creating strong passwords and protecting them more effectively.
In April of this year the National Institute of Standards and Technology (NIST), released updated guidance for creating and managing passwords. Though NIST information security standards are only binding for federal government agencies, private-sector companies often look to NIST as well to provide up-to-date best practices for information security.
The biggest change to NIST’s Digital Identity Guidelines is that organizations should no longer require periodic password changes. Once the gold standard of effective password management, it has since been shown that mandatory periodic password changes do more harm than good. Users often choose passwords that are easy to remember, which also make them easier to hack. Or they simply change one character from the previous password, a trick hackers are very familiar with.
The updated NIST guidelines also move away from the recommendation that organizations should require a certain type or number of characters. Instead of a complicated jumble of numbers and special characters, or just an exclamation mark added to a password you use somewhere else, NIST says long passwords, a phrase that’s meaningful to you, for example, is easier to remember and harder to hack. Organizations should also move away from character maximums and minimums, especially since the longer a password is, the stronger it is.
Finally, NIST recommends that organizations submit each password created to a strict validation process. Passwords such as “12345” or “password1,” or passwords that appear on a “black list” of commonly used or previously used passwords, should be automatically rejected by the system administrator.
Effective password management can and should be part of your organization’s larger cyber security strategy. AVI Systems’ white paper on deploying IT solutions with limited disruptions can help you get started on the right foot.