Best Practices for Keeping Your Passwords Secure, Yet Memorable
As the preeminent form of security online, passwords are currently the most important frontline defense to get right in your organization. However, many people often cut corners with their passwords to ensure they don’t forget them, recycling them across their many accounts. Let’s go over a few ways to help your team create secure passwords that they can commit to memory without shortchanging their efficacy.
How Strong Can a Password Be?
Passwords are a tricky thing, particularly because there are two different ways to crack them. First, you have the algorithmic tools that cybercriminals now use to crack challenging passwords, and second, the ability of a cybercriminal to deduce or acquire it through social engineering.
This makes it critical that you properly balance your account security so that you can remember the code you need to get in, without relying on something that would easily be guessed by a computer or a cybercriminal.
The Challenge of Creating a Password
Okay, so the time has come for you to put together a new password, or perhaps a password policy for your business. Moving forward, you need to do so while appreciating two things:
- If a password cannot be breached or guessed, a hacker will likely begin to try every possible combination of credentials.
- A password’s security is not the same as its resistance against a brute force attack.
It might help to think of an authentication measure as what it really is: a lock. All a password is, really, is the key needed to unlock access to certain data or information.
Let’s picture this literally: let’s say you have a vault, protecting all your most important secrets. Someone trying to get at your secrets will likely first try all the combinations that a lot of people use, and then all the dates and times they could find that may be important to you. If that doesn’t work, their next step is to simply try every possible combination… which, sooner or later, will ultimately lead them to the correct one.
So, what does this mean for your passwords?
The Balance Between Complexity, Predictability, and Memorability
When creating a secure password, there are assorted best practices that we’ve frequently encouraged, including:
- Sufficient length, ideally over 16 characters
- A combination of numerals, letters, and symbols
- No privileged or personal information, or that which can be found online or on social media
- No common words or numbers
- No consecutive letters or numbers
Creating the Optimal Secure Password
Since we also must consider the computing power now available to your adversaries, adding some complexity there can help add to their difficulty. Take the fact that about 41 percent of passwords are entirely made up of lowercase letters—cybercriminals will know this, too, and therefore can skip any options with other symbols or capital letters in them in their initial brute force attacks.
However, adding some of these components—capitalization, numerals, punctuation—can eliminate your password from these calculations, making the process of finding your actual password a far lengthier one.
In short, the most secure passwords are those that no human brain has any probable chance of guessing, and that are most likely to resist a brute force attack and outlast any attempts made.
Of course, there are other considerations to keep in mind as well—like memorability. While a password like “2Gu+04nFW9” may resist the efforts of a cybercriminal and their guessing games, and even stave off an algorithm for a time, how simple is it going to be for you to remember that?
If you’re like most of us, not simple at all.
This is where the idea that “close isn’t close enough” can work against the user and the attacker alike. While the requirement of an exact match does make it more challenging for a hacker to identify the exact passcode, it can easily lead to passwords like “2Gu+04nFW9” being a real challenge for a user to, well, use.
Therefore, a prevailing theory nowadays is that the most secure passwords are the ones that utilize a few random words, with varied capitalization and alphanumeric switching, that are padded with several symbols on either side.
Why is this?
Simple: with each different variable you add, you reduce the chance of your password being brute-forced. A sizable proportion of passwords unfortunately still consist of nothing but lowercase letters. Attackers know this, and rather than wasting time checking all variables in a brute force attack, they will simply check passwords containing only these levels. Each additional variable you introduce makes their search longer by a significant factor.
So, to keep the complexity/uniqueness/memorability balance in check, while still minimizing the risk of a successful brute force attempt, an ideal password may look something like this:
……/// k!ck_rat!o_E77Ect ///……
That way, it isn’t impossible to memorize, incorporates multiple variables for a brute force attack to account for, is 29 characters long, and almost certainly will not be guessed. (Of course, now that we’ve published this blog, you should not use this particular password.)
But Wait: Now I Have to Remember All These, Too?
This is the part that encourages the least secure password habit of all—repeating one across multiple platforms and accounts. Fortunately, this is a simple enough habit to avoid with the use of a simple, yet effective, tool: a password manager.
A password manager is a program that securely stores all a user’s needed access credentials to their other solutions, burying them under considerable layers of encryption and sealing them behind a login. As a result, the number of passwords that you actively need to remember is effectively reduced to one while you still enjoy the security benefits of numerous passwords.
As for the rest of your security, Digital Sky Solutions can have your back by seeing to your security solutions and monitoring your network for latent and incoming threats. We can, of course, also assist you in implementing your password management solution. Find out more by reaching out to us at (250) 483-5623.