Technology advancement in user authentication has never been stronger, yet most people are still trapped in the long-established unsecured password management style that needs improvement.
A recent study in security analysis shows 86% of users are at critical risk due to using terrible passwords.
Best Password Security Standards
There are so many false understanding and outdated information posted around the internet when it comes to password management standards.
It is time to put an end on the spread of wrong password practice and start defining the definition for how to obtain a highly secured password for our daily technology usage.
In this article, you will learn the proper way to:
- Create strong passwords that cannot be broken by hacking tools.
- Manage multiple unique passwords without memorization.
This is the shorter version for those who want the core of this article.
Never reuse a password.
Each and all of your accounts must use a unique password. Reusing a password is the most dangerous thing you can do.
The minimum length for a secure password is 10 characters.
Longer is better as the most important way to make the password stronger is to increase the length.
Numbers do not improve password strength.
Special characters (!@#$%^&*) does not improve password strength.
1337 language (e.g. password => P422w0RD) does not improve password strength.
If anything mixture of numbers and alphabet makes password hard for a human to keep track.
Update the password when the password got exposed or stolen.
Changing passwords often increases the security risk.
Always use two-factor authentication (2FA) if the option is available.
2FA is one of the most effective ways to improve authentication security.
Always use a Password Manager application.
Stop trying to remember passwords.
Research shows that the average number of accounts a person holds is 90. All passwords should be kept and organized using a Password Manager.
Do not give honest answers to personal questions.
Associating authentication to your facts can lead to an additional security hole. Answers for recovery questions should be unrelated to you and saved to Password Manager.
Signs to consider to avoid weak passwords
There are many hacking techniques such as brute force, rainbow tables, and social engineering that are designed specifically to crack an account. Based on the research of protection against cyber attacks, the following list is the key sign to look out to avoid creating weak passwords.
- Minimal characters or short length.
- Common password (e.g. qwerty, password1)
- Reuse more than once.
- Repeating characters (e.g. qwerqwer123123)
- Dictionary words.
- Personal identity information.
- Inclusion of user, service, or business name.
If your password fits into any of the above characteristics, it is highly recommended to consider improving your password creation and management strategy.
Using a common password is the worst possible way to secure an account
Using a common password is straight forward the worst thing you can do to an account. Most hacking tools already comes with a list of a commonly used password which can potentially allow hacking done in a matter of seconds.
Take a look through the Top 10,000 Most Common Passwords list and make sure your password is not listed. By any chance, if you found your password listed you must immediately change the password as it may already be hacked.
The danger behind the minimum password length
There are a lot of people that stick with the 8 character password simply because most services allow it. Let's take a quick look at the minimum password length defined by different services.
One may justify 8 character password is sufficient because it follows the standard defined by many global organizations. This is a big misunderstanding, and in fact, the list is quite shocking from a security standpoint.
Password hacking tools have become extremely advanced within these couple years allowing 8 character passwords to be cracked in 2.5 hours using a brute force algorithm. The reason these organizations allow such a small length password because they put a lot of effort into securing the service on their end using techniques such as login attempt limit, geo IP matching, and multi-factor authentication.
The important concept to understand here is that with an 8 character length password, there is minimum security set to what users have control over while relying on the service for the rest of security.
Notice all the minimal length uses even numbers, which is another hint for the hacker to minimize their attempt. Avoiding using any minimum length password for any cost.
Writing down passwords as note
My mother used to do this a lot. Whenever a new password was introduced, she will make sure to write them down on her mini notebook that she brings with her everywhere.
Passwords should never be noted anywhere, not on paper nor computer notepad.
Someone can easily get a hold of your entire password by stealing or taking a picture in a few seconds.
How long is long enough for a password to be secure?
Length is the most important factor for a password to increase security.
How long should a password be to consider as secure?
As mentioned earlier, with modern technology any 8 character password can be hacked in 2.5 hours. By adding a single character, a brute force algorithm will take 1 week to crack a 9 character password. With length to 10 characters, time to hack the password will dramatically increase to 4 months.
In 2010, Georgia Tech Research Institute's study defined a minimum of 12-character is sufficient to defeat modern password hacking. With 12 characters, brute force calculation will take 200 years! Now that's secure!
Keep your password at least 10 characters, but always try to make it as long as possible.
Strategies to make a globally uncommon password
Globally uncommon passwords should aim to not be used by any other accounts in the entire online service, including yourself.
Things to consider when creating a globally uncommon password are,
- Never use phrases even partially related to the top common password list.
- Do not reuse the same familiar phrase or number.
- Avoid including service name (e.g. Facebook123).
Use Diceware Passphrase to easily maximize password security
Diceware passphrase approach is known as one of the most secure ways to generate a strong password.
This is how the process works.
1. Prepare five dice, a word list, a pencil, and paper.
2. Role all five dice and write down the word by cross-referencing with the matching number.
e.g. If you roll a [4, 3, 1, 4, 3], write down the word "multi" based on the following word list.
... 43143 multi 43144 mum 43145 mummy 43146 munch ...
3. Repeat step 2 five times. Make sure the total number of characters written down adds up to 10 or larger. (e.g. multi ski lamb wrap butt)
4. Capitalize the first letter of each word and stitch them up to one phrase.
The result would look something similar to the following.
The length of this password is 20 characters, which makes any attempt to brute force crack this password will take longer than the lifetime of a star.
What makes this method highly useful is not only the security aspect but also the usability factor. Take a look at this 20 character password "tZ4kF0T9LXzIvFycBfIA" which is equally secure. Although the security level is the same, the effort to memorize, readout, or type is much more hectic.
Using a password constructed with a set of words makes it easier to remember, especially by associating a story. For example, one way to remember the password "MultiSkiLambWrapButt" would be by imagining multiple lambs skying with their butt wrapped. The weirder it sounds the better it sticks to your mind 🙂
Using Password Manager to Organize All Passwords
If you are not familiar with the password manager application, today is the day you will start using it. A password manager is loaded with useful features that allows user to offload the entire hustle of keep tracking passwords while improving overall security.
A password manager is designed to provide the user with the flexibility to organize all accounts' sensitive data by using one extremely strong master password. What makes a password manager so secure is the way stored password is encrypted using a technique called hashing and salting, which makes it impossible to extract data without the master password.
Most password managers will automatically generate a strong password for you and help you programmatically input username and password to browser/application/console with a simple shortcut. Relying on the password manager helps us follow the secure password standards more comfortable without the worry to memorize every time.
Power of Two-Factor Authentication
Besides all the password security techniques that can be applied by the user, a very powerful authentication layer can be introduced by utilizing the Two-Factor Authentication (2FA) provided by the account service.
2FA system works by structuring an additional transaction layer between the user and the service to confirm the authenticity after completing the username and password authentication phase. There are mainly two types of transaction pipelines used for authentication, through personal contact and authorized application.
An example of personal contact is the user's phone number or email address. By user providing such contact information, service will able to send a temporally available secret code so that the user can confirm.
However, providing personal contact is not a preferred way as it may be breached by having access to the device. Also, it is always better to avoid giving your personal contact information to a service if possible.
Authorized application authentication is performed by first associating the service to a 2FA application on a portable device. When the user attempts to log in, service will require either a code input visible on the 2FA application or a simple button click to complete the authentication.
If 2FA is available by the service, always enable and use for the higher layer of security.
Summarize of Password Security Guidance
The key takeaway points to maintain secure password practice to use a globally uncommon password with minimum of 10 characters and utilize Password Manager to organize all the accounts. Always enable 2FA if available and do not be honest when answering password recovery questions. Keep passwords safe 🙂