People use passwords every day, whether it be on their mobile device, corporate server workstation, or online QuickBooks account. Passwords typically serve as the first line of defense against unauthorized access. However, the recipe used to create a strong password is very important and as everyone should know, not all passwords are created equal.
First, what makes a password “good”? When setting up a new Facebook account, the password requirements are “a combination of at least six numbers, letters and punctuation marks (like ? and &).” The problem is every site seems to have their own policy, so what is the end-all-be-all for creating a good password?
Enter the National Institute of Standards and Technology (NIST). NIST is a part of the U.S. Department of Commerce and maintains inter alia, guidelines for ideal password creation. NIST asserts that the most security is found in a password’s length. An 8-character password should be the minimum length under general circumstances. If the account needs to be more secure, such as a bank account, explore 10+ characters. It is also recommended that passwords are not obvious, such as “ThisPassword” or similar, when creating a strong password.
The problem is when users are asked to create a new 5-character password with upper/lower/alpha-numeric/symbols combinations every three months. You better believe their passwords will degenerate to less secure phrases with each quarter. “1John?” would likely be accepted by Facebook from user John Doe, but it is less than ideal in terms of security. “The0ne!JohnDo3” is much more creative, longer, and harder to guess, yet relatively easy to memorize.
For reference, below are a few Dos and Don’ts for creating a secure password
- Keep passwords above 8 characters. In fact, think of passphrases instead of pass”words” – you could use a relatively easy phrase that is easy to type, easy to remember and meets complexity requirements and be 18, 20 or even 25+ characters long.
- Creating a strong password involves something that is easy for you to remember, but hard for others to guess.
- Avoid using words found in dictionaries as the “root” of your password (i.e. 3Chattanooga!), as even a partial recovery of the password could allow the attacker to guess at the rest (i.e. if 3Chatt was recovered, it wouldn’t take too much guessing to get to Chattanooga)
- Get a password management app for mobile devices or computers to keep passwords straight. This is particularly helpful when you have 70+ passwords like I do.
- Consider using Multi-Factor Authentication (MFA), sometimes referred to as Two-Factor Authentication (2FA) to add increased protection.
- Use the same password in more than one place – a compromise at that system may make it that much easier for them to compromise your password on a completely different and unrelated site.
- Write your passwords down, particularly on a sticky note beside your computer or anywhere else.
- Share your password with anyone.
- Use derivatives and slightly modified versions of existing passwords (1John? In month one becomes 2John? the next time it needs to be changed).
- Provide a hint if prompted, which gives others an easier time guessing.
By Ian Finch, CGFA,
Senior Forensic Analyst
Vestige Digital Investigations