Password Tips That Won't Leave Your Head Spinning
I'm a giant fan of this topic not just today but every day. In the security world, we love to complicate things and shout at other security people about complex technical issues, leaving those in the general public confused about what steps to take. But password security is the #1 area the average person (and even most organizations to a degree) can focus on to make themselves more secure.
Common Sense Password Guidance for Everyone
1st - Use Multi-factor Authentication Whenever Possible
Historically, a valid username and password is all that was needed to login into a system, website, or service. This presents a security challenge because it is just one factor (something you know) and anyone who can guess or find your password in a breach dump will be able to login, too. Multi-factor authentication (MFA) adds an additional requirement - generally something you have - in addition to knowledge of a valid username and password. Most often this means a notification or code pushed to your phone via an app or text message. Many services and vendors are at least starting to offer the ability to enable MFA but it is not often enabled by default.
This is probably the most important bang-for-your-buck step someone can take and the one I suggest to the general public most often. It stops the most common password attacks - such as the Ring camera "hack" this past December - dead in their tracks. While they garnered their fair share of negative press as a result, the bad guys actually obtained access to Ring accounts by using credentials for other services which were leaked and readily available on the internet. Because email addresses and passwords were reused for Ring accounts which were not secured with MFA, attackers could simply reuse these breached credentials to obtain access (more on this in a bit). Ring has since enabled and requires MFA in order to log into accounts.
2nd - Use a Password Manager
A password manager is an app which stores your passwords for your various accounts and centralizes them. This might seem crazy on the surface, but it offers a few key benefits:
- The ability to generate long, random passwords which cannot easily be guessed via conventional means
- Easily create a unique password for each individual website, system, app, or service
- Automatically populate passwords in web browsers and apps so that users do not have to remember (or even know) their passwords
There are many choices when it comes to password managers such as LastPass, 1Password, DashLane, and Apple even has one built into all iOS devices. Which one you choose matters less than just making sure you use one. If you don't, you more than likely have some room for improvement in one of the next two areas.
3rd - Go for Long Passphrases Rather than Complexity
The conventional password guidance over the last thirty years has been to use at least eight characters, include at least one uppercase, lowercase, number, and symbol character, and to change passwords every 90 days . In other words, the focus has been on complexity (including different kinds of characters) and changing faster than attackers can crack your password (at least faster than the Soviets could in the 80s). These requirements have caused people to choose short words that they remember - like their dog's name, or the season - and then add numbers, symbols, or the current year until complexity requirements are met, resulting in something like Scooby#2, which is an easy password to guess even if an attacker has to brute force all possibilities.
Instead, emphasizing length is a better approach. For example, the password "my dog scooby is an awesome dog who i love very much" - although it doesn't meet any of the aforementioned complexity requirements, it’s a more secure password than Scooby#2 and is easier to remember.
NIST, which is responsible for a lot of this guidance, recently shed the outdated requirements and updated their standards, but most of the world has not caught up.
Again, it is better to use a password manager and set a long, random password you do not know at all, but when you cannot, use longer passwords.
4th - Stop Reusing Passwords Across Multiple Sites & Services
Perhaps the biggest issue with passwords in both corporate environments and across the general public is that people tend to reuse the same password everywhere. This is a problem for multiple reasons:
- If you choose a poor password (as people have proven to) then you are reusing your poor password everywhere, even for critical accounts such as banking.
- Breaches of popular services happen all the time and associated credentials are eventually sold or leaked on the internet. Even though your Beanie Babies fan site login might not get an attacker access to anything critical, if they suffer a breach and you have reused the same password for your corporate email, then it is a short jump for attackers to try using the same password everywhere (remember Ring?) on the internet - called credential stuffing - including your work account. At the moment this is one of the most common attacks in the world.
- When you provide a password to a website, service, or vendor, you don't actually know what they are doing with it. If they are storing it somewhere without encrypting it, then anyone with access to the associated data can take your password and perform the credential stuffing attack previously mentioned.
It might seem hard to use a unique password for each login, but it is a critical step to securing your accounts and is made easier by following the guidance above to use a password manager.
You may ask, “How Often Should Passwords be Reset?”
In corporate environments, the answer can depend on the type of data, user, and environment associated with the login, but is more clear cut for the average person: you don't have to change your passwords very often unless there is a reason to. Although people may have become used to 30, 60, or 90 day password reset requirements, that guidance resulted in people creating terrible passwords such as Spring2020, one of the most common passwords we find in environments all of the time, in order to change their passwords while still being able to remember it.
Instead, the average person should set a great password - long, random, and unique - from the start and not change very often unless it has been breached, forgotten, or there is a credible threat - such as accidentally responding to a phishing email.
Additional Advice & Resources
- Make use of the free credential alerts included in identity monitoring services from many banks and credit card companies
- Sign up for an account with both haveibeenpwned.com (free) and pastebin.com (very cheap) which allow you to provide a list of email accounts, names, or other information for monitoring. If any of your terms are detected in a breach or associated kinds of data, they will send you an alert and you can take appropriate steps to cleanup accounts, passwords, and other associated data
Happy National Password Day!