By Jon Xavier
Despite recent advances in authentication technologies, traditional passwords are still the way users log into most services. That’s why it’s so tragic that so many people use terrible passwords. According to a recent analysis, 86% of users use passwords that have already been cracked.
There is so much outdated, misleading, and just plain wrong information about passwords floating around on the Internet that it isn’t surprising so many people choose bad passwords. Yet companies cannot afford to be complacent. With the average security breach now costing companies $3.86 million, you need to cut through the noise and deliver good information about password security to your workforce.
We want put to rest some of the most persistent falsehoods about passwords and talk about what it takes to come up with strong passwords and practice good password security in 2019.
But first, the tl;dr version
Want the strongest password and the best password security in 2019? Here's the guide condensed:
- How long should my password be? 10 characters long, minimum, but make it as long as possible. Length is the most important factor to strength.
- Does my password need special characters to be strong? Nope.
- Does my password need numbers to be strong? Nope.
- What about switching numbers for letters(1337 speak)? This does nothing.
- How often should I change my password? Only change it if you think it's been compromised. Never force users to rotate passwords, this actually lowers security.
- Can I use the same password on multiple sites? Absolutely not. Every service should have its own unique password so that you don't have to change all of them when (not if) they get breached.
- How can I remember my password? Don't try to remember your passwords, use a password manager. If you don't want to, write it down. If you have to make a long, memorable password, use the diceware method. But never reuse a password.
- What about two-factor authentication? Always turn on 2FA if it's an option. Use the strongest 2FA method you can. A text message is weaker than an authenticator app is weaker than hardware-based authentication. Never give a service your phone number if you can help it.
- What about password recovery questions? Don't give honest answers to these. For maximum security, generate a secondary random password for each question and store it in your password manager.
Some of that might seem counter-intuitive, but it's backed by facts and based on current best practices. Read on to find out why!
Dispelling Password Security Myths
Here are some of the most common misconceptions about passwords:
Myth #1: Strong passwords need to have letters, numbers and special characters
This is one of the most persistent myths about passwords, one that’s perpetuated by the password complexity requirements that many organizations set on their logins.
It is true that a password with uppercase letters, lowercase letters, numbers, and special characters is theoretically stronger than one with only lowercase letters. This is because the latter password has more possible combinations that a potential attacker must attempt if they want to brute force it by guessing every possibility.
However, the gains from this method are moderate at best. Complexity can even sometimes lead to weaker passwords, if the difficulty of remembering complex passwords causes a person to resort to using a shorter string or easily-guessed patterns such as replacing letters with numbers. (Yes, hackers speak 1337 too.)
For this reason, the National Institute of Standards and Technology (NIST) guidelines on password security now actually recommend against enforcing any requirements on password complexity.
Myth #2: Passwords should be rotated frequently
Many companies assume that forcing employees to change passwords on a regular basis is makes them safer. You might think this limits the damage of a cracked password since stolen credentials are only valid until the user’s next reset. However, this is an untrue assumption.
While there are some sophisticated attackers that seek to access a system and stay undetected for weeks or months, most cyber attacks involve quickly exploiting a vulnerability and exfiltrating data within minutes. Attackers know that the longer they wait to get what they’re after, the greater the chance of getting caught.
Unless passwords are changing hourly, a regular rotation won’t prevent this kind of smash-and-grab attack. What it will do is annoy employees, generate work for IT, and hurt productivity.
This practice can even lead to weaker passwords in much the same way that complex passwords can paradoxically compromise security. In this case, the added burden of having to create a new password often causes people to fall back on shortcuts such as reusing a simple password and appending a number to the end of it. For this reason, this is another standard the NIST guidelines have jettisoned.
Myth #3: A password breach isn’t a big deal if you don’t use that account for anything important.
This extremely widespread myth springs from a misconception about how password cracking works and how attackers use passwords once they’ve been compromised. It’s commonplace to think of a hacker targeting a specific site and then running some sort of hacking tool until they find the password that lets them in. Yet this isn’t how a standard attack works.
What often happens during a data breach is that the entire database containing every password will be stolen. This database usually stores passwords in an encrypted format, although you’d be surprised how lax some companies are about this. Modern cracking utilities running on modern hardware can try hundreds of thousands of password combinations against this database each second. So even with encryption, it won’t take long for hackers to crack the weak credentials stored in the database. The usual approach is to let the utility run for a period of time, and then move on with whatever credentials it manages to shake out.
After passwords are compromised, two things happen. The first is that hackers will take credentials they’ve found and try them against high-value targets across the web, knowing that passwords are often reused. It doesn’t matter if the original breach was on a rarely-updated WordPress blog—if a password breach victim used the same password for a bank account, the attacker will quickly gain access to that, too.
The second thing that happens is that breached passwords will make their way into dictionary lists of common patterns that hackers use for brute-force attacks. This means that they will fall even more quickly to the next attack, virtually ensuring they will be compromised if used again.
Once a password is burned in one place, it’s burned across the Internet permanently. There is no such thing as an “unimportant” account.
What actually makes a password strong
So what actually does matter? The good news is strong password generation is a lot simpler than most people think. The bad news? A big part of it is completely out of your control.
The most important factor in password safety is how they’re stored.
Passwords should be stored in an encrypted format using strong cryptographic algorithms. If passwords aren’t encrypted, then the only thing protecting them is the company’s ability not to be breached in the first place. (Which, if they are still storing passwords in cleartext, is not something users should have confidence in.)
There are techniques that secure companies use to make a password harder to crack. Chief among these is a cryptographic salt. A salt is a random string of characters appended to your cleartext password before it is run through an encryption algorithm, artificially increasing its length. A good salt will increase difficulty of most passwords, making them stronger against brute-force attacks using common password cracking techniques like dictionary attacks and pre-generated rainbow tables.
All salts are not created equal. The weakest technique, but also the most easily implemented, is to use the same salt for every password. While this does offer some protection, the problem is that a given password will generate the same hash every time. This makes it easy to reverse engineer the salt. Once attackers have the salt, they can use it to create a custom rainbow table that will easily crack the passwords in that database.
A more secure method is to use a different random salt for each password, but this makes encrypted password generation more difficult, which is why some organizations don’t use this method. Unfortunately, its impossible to tell how an service stores passwords from the outside, so it’s hard to make an informed decision about this.
There is a lot more to this topic, and we don’t have room to get into the nuts and bolts of secure password storage here. If you happen to be in charge of security at a company and you want to do a good job of storing your users’ passwords, the Open Web Application Security Project Password Storage Cheat Sheet is a good place to start.
If you aren’t in charge of password storage, here’s the main thing you need to know:
The most important factor you can control is password length.
Password difficulty scales exponentially with each additional character. This means that it doesn’t take that many to make a dramatic difference in your security.
For example, a password that is nine characters long will take about two hours to brute force on average with modern computing resources. Adding just a single character to this password length increases the time to brute force to one week, everything else being equal. By the time you get to 12 characters, it should be able to withstand an attack for about 2 centuries.
So how long is long enough? It depends on your level of paranoia, but in a well-encrypted and properly-salted database, ten characters are likely enough to defeat a majority of attackers. If you’re using a password manager (more about this later), there’s also no drawback to using an even longer password.
Another important factor is uniqueness.
As we saw earlier, an exposed password will be used to attempt to get in to all your accounts. That means password reuse is always a bad idea, because in the event of a breach it will be necessary to change the password everywhere it was used (If you can even remember everywhere you used it). If every password is unique, then there’s only ever one password that needs to be changed.
However, you shouldn’t use anyone else’s password either. Passwords that get stolen during a data breach will often be released publicly once the hacker is done with them. So they’ll eventually get added in one of the common dictionary lists that hackers use to streamline password cracking attacks.
This means you should avoid using any of the most common passwords, alone or in combination. It also means you should be wary about using a phrase that you’ve seen in print somewhere, like a Bible verse or a quote from your favorite athlete. Although this is easily remembered and will likely get you to the right length, there’s a greater chance that somebody else has already used this password and burned it.
Putting standards into practice
To recap, the ideal password is at least ten characters long, stored securely, and completely unique. Easy, right?
Well, okay, not really. That probably still seems more inconvenient than using “letmein” for everything, and it is—if you try do it on your own.
Fortunately, there are now many techniques and technology products to help you strengthen your password security. In fact, if you use them right, having good security practices can actually be easier than doing it the wrong way.
Use a password manager
There are a number of password managers on the market, and they all work about the same. Password managers allow you to have one really strong password used to unlock a well-encrypted password vault that stores random, strong passwords for the rest of your accounts, rather than having to create and remember them all on your own. This makes it really easy to have a secure, unique password, and also ensures that if you do get breached, you only have to make one change. Some password managers will even alert you whenever there’s a breach at a service that you use. Handy!
You might be thinking that using a password manager means creating a security bottleneck. If attackers can compromise the password manager, than they will have access to all of your passwords. This is true, but it also misses the point.
Unlike many of the services you trust with your password, you can have at least some expectation that a password manager is doing everything right to protect you, including following best practices for password storage and encryption.
As long as you follow the recommendations for establishing a strong master password, your risk exposure is minimal. And you will certainly be safer than you would be without a password manager, if the alternative means reusing passwords or resorting to shortcuts.
Use the “diceware” method for easily remembered passwords
Even with a password manager, you’ll still need to remember at least one password. The easiest way to make a password that's secure and easily remembered is through the classic “diceware” method. This means stringing random words together to create a passphrase.
The reason it’s called the diceware method is that it’s traditionally done with dice, and this is still the most artisanal, hipster way to generate a password.
Get five dice, a word list, and a pad of paper. Roll the dice five times, record the number, cross reference with the list, and write down the word. Do this until you have a password that is at least ten characters long.
The following is an example of a password created using the diceware method:
First, don’t use that. Make your own.
You’ll notice this passphrase is 36 characters long (including hyphens) and thus will take until the heat death of the universe to crack through pure brute-force methods. A passphrase that’s at least five words long is also a lot stronger than you might expect against a dictionary attack. This one would take about eight years to brute force using a dictionary list of about 8000 words, which is longer than most cyber criminals are willing to wait.
The above password example is easily remembered if you make up a story or image to help you remember it. In this case, I can imagine Karl Marx trying to sell skincare products on a golf course, and I’m much of the way there.
Turn on two-factor authentication (2FA)
While it’s not strictly a “password security” thing, two-factor authentication is a great supplement to passwords. By requiring a one-time PIN in addition to your password, 2FA adds another step to the process of compromising your account. While there are some ways to bypass 2FA, they’re not techniques that can easily be automated. This means that any level of 2FA is going to rule out all but those attackers that are targeting you specifically, which is a much smaller pool of potential badnicks.
It’s important to remember that 2FA does not make your password invincible, however. You’re still quite vulnerable to phishing campaigns and social engineering attacks.
In particular, you should be wary of text message-based 2FA, which is still the most widely supported types. While it is far better than nothing, it can be bypassed through SIM hijacking, an increasingly common type of attack.
App-based 2FA solutions such as Google Authenticator or Authy protect against these attacks, so they should be your go-to for any service that supports them. Some password managers will even do 2FA for you, letting you keep everything in one place and making it easier to change phones without disruption.
The strongest form of 2FA is hardware-based, such as Yubikey, which requires a physical token be present to authenticate the user. This may feel like overkill for most users and use cases.
Treat security questions as secondary passwords
One often overlooked weakness in many password setups is the security questions used to reset forgotten passwords. The answers to these questions tend to be short and not very complex, making them weak to brute force attacks. Yet many attackers won’t need to resort to brute force because this information is often guessable based on info about you that is publicly available online. The name of your first school or your first pet might have been private when companies first started adopting these security questions in the 70s. In the age of Google and oversharing on social media, it’s no longer a safe bet.
Rather than answering honestly, you should treat these questions as secondary passwords and generate strong, unique strings for them that you store in your password manager. It may seem odd to say that your father’s middle name is
R-qM5\f#..^bSp+g, but it will prevent hackers from exploiting a password reset vulnerability to steal your account. If you’re using a password manager, you likely will not need to use these security questions anyway.
Summing it all up
While security is complicated and the Internet is a scary, dangerous place, it turns out that password security is actually pretty simple. If you use a password manager, use a unique, ten-character-minimum password for every account; turn on 2FA, and treat password reset questions as secondary passwords, you’ll be far ahead of the game.
The NIST Password Guidelines. A more in-depth look at password strength along with practical standards for password safety.
Open Web Application Security Project Password Storage Cheat Sheet. Good overview of proper password storage techniques for developers trying to build more secure web applications.
That one xkcd comic everyone always posts about password security. Great for teaching your team how to make a secure, memorable password!
The other relevant xkcd comic. Don't overthink it!
zxcvbn. Dropbox's open source password strength checker, inspired by actual password cracking behavior rather than abstract ideas about what makes passwords strong. Intended as a low-impact replacement for naive password strength meters that simply check for a certain length and complexity.