Proper password security practice is incredibly important – your web services and servers will never be secure if you use weak passwords or ignore best advice around password strength. Poor password security policy can be a single point of failure that brings down your entire system or even network.
So, here is a comprehensive list of the most important tips you need to follow when setting and managing passwords in 2020.
Password security practices
You’ll find plenty of resources that give you good tips for password standards, but we think the Nation Institute of Standards and Technology (NIST) has a relatively watertight list of do’s and don’ts.
The NIST is, of course, an agency that was has the specific goal of pushing industrial competitiveness and innovation in the US – by advancing science, technology and standards. It’s easy to see why the NIST would publish a well-considered list of password best practice given it aims to enhance economic security.
We summarize the most important parts of the NIST’s password advice below. It varies from obvious rules such as uniqueness requirements through to password complexity requirements. It’s a solid basis on which to build a password security policy.
Things you should get right about password standards
Here are a couple of rules you should always adhere to when creating passwords.
- When a password is created by a person, use at least eight characters or more – and keep in mind that the more characters you use, the less likely your password will be hacked. So, at least eight characters – but try to go for sixteen or more if you can.
- System generated password standards should be at least six characters – wherever you have a service or system that facilitates the creation of new users you need to ensure the passwords supplied are at least six characters in length. Forums or e-commerce sites should assign users passwords of at least six characters.
- Support long passwords for password strength, up to 64 characters – allow your users to input very long passwords, we suggest an allowed length of 64 characters as unique passwords of this length will be incredibly secure.
- Use the entire ASCII set for passwords – lowercase, uppercase, numerals and symbols should all be in mixed into your password. Think JkLL8#!n to make up an eight-digit password.Why does using all ASCII characters matter? Simple – a wider set of characters increases password entropy. In other words, how difficult it is to guess a password. Password entropy increases when passwords are longer, and when passwords use a greater mix of characters like uppercase, numerals and special characters.
- Make sure your password standard is set enforce uniqueness – don’t re-use passwords across services, instead use a different password for MySQL, FTP, cPanel and – importantly! – your social media and bank accounts. Uniqueness requirements prevent hackers from using a stolen password to access other accounts.
- Check your password is not in a password dictionary – you can use software packages or tools that check that your password is not contained in existing password lists; always do this check before using a password.
- Use a password manager – complex passwords are more secure but they are difficult to remember. However, a password manager is a great way to store and access complex passwords.
- Randomly generate your passwords – a randomly generated password is unlikely to be in a password dictionary and will be difficult to guess. You have plenty of options to randomly generate a password, think org or even Norton’s website.
- Allow plenty of attempts at a password before you lock a user out, at least ten – with a password security policy it’s important to strike a balance between the number of times a user can try a password and the point at which they’re locked out. When choosing this balance you should consider the risk involved if the account is compromised, but keep in mind that locking users out can be frustrating. Still, to prevent a successful brute force attack, you must lock a user out at some point.
- Use two-factor authentication (2FA) whenever you can – there is an almost unlimited number of ways in which passwords can be hacked. However, with 2FA, even if a password is hacked, a hacker cannot enter an account without the second authentication factor. This could be biometric data, a key fob or something like Google’s Authenticator
What are the big “no’s” with passwords?
Good practice is one point to address, bad practice needs addressing too. We want to highlight a number of practices you should steer clear of:
- Never use a dictionary word – any word which can be found in a dictionary should never be used, nor should a combination of dictionary words like clevercat or safeashouses.
- Frequently change your password – in case your password ends up getting stolen, changing it will mean it can’t be used to compromise an account.
- Don’t use passwords that reflect the name of people or places you know – hackers might research you and find out who and what matters to you, using these names to try and guess a password. Also be careful of using very slight variations on these names – for example, if your mother is Johannah don’t assume that J0hannah will be secure.
- Never use the same password twice – use a unique password for every service, and don’t swap backwards and forwards between old and new passwords if a service demands that you input a brand-new password.
- Forget about using a string based on letters adjacent on your keyboard – you can be sure that any set of letters adjacent on a keyboard will be in a password dictionary. Whether it is qwertyui or mnbvcxzl – forget about it.
Some examples of good and bad passwords
We’ve listed the key password security policy practices you should follows. What does it mean in reality? Well, examples of password you should NOT use include:
- theoneandonly77
- sunnycountry12
- champion88
If you want a secure password, you want to use something like this, but don’t use these (!) – go to a random password generator instead:
- QcSCTC#zrKk47PRU
- ZY!RAdsmXvNrkvYd
- RzmST5@LysRKMRqx
The above examples will meet the password complexity requirements of even the most stringent of security policies.
Passphrases can be a great compromise
Know how we said you should use a long complex password? You’ll also know how difficult those are to remember every day. A passphrase can be a good option. It could be based on a movie you know, a joke you like or anything else.
Think about a movie phrase, like Arnold’s “Hasta la vista, baby.” As a password this could easily be written into hastalavistababy which can be made more complex by changing it to an equally easy to remember h@sta1av!st@baby. It’s secure and you can remember it, but try and think of a passphrase that is unique to you to ensure there is absolutely no chance it’ll be caught in a password dictionary.
In any case, our example will take up to 85 billion years to guess by a computer, according to a popular password security checker.
It’s easy to make our example passphrase even more secure – just add a few interesting bits to it. For example, turn it into 8m@!!h@sta1av!st@baby if you’re using gmail, and you’ll find password security goes up. That’ll take 128 undecillion years to solve!
What can you do to remember passwords?
Even if you use passphrases you still need to use unique passwords for critical services. Remembering these will be difficult – heck, remembering your passphrase can prove tricky. What’s the best way to fix this problem? A password manager.
Password managers come with other benefits too, including the ability to automatically log in to a website, instead of retrieving or typing a password every single time. However, remember to set up a strong gateway passphrase for your password manager, otherwise all your passwords could be compromised.
Which password manager should you choose? We can’t endorse any specific password manager, but some of the more popular options include Keeper and LastPass.
Multi-factor authentication
Multi-factor authentication, including 2FA which uses two factors, can include a number of aspects. Each of these aspects or factors contribute to password security. Qualifying factors would include the following:
- A piece of information that only you know – think a password, or indeed a passphrase
- Something that is possessed by you, and you only. This could be a key fob or code generator or even employee ID
- Data unique to you as a person, for example a retina imprint, a fingerprint or your face
- Your location as determined by a GPS or according to your network access point
So, as you can see, multi-factor authentication has plenty of factors that it can depend on. A unique aspect such as a fingerprint or your GPS location can add a huge amount of security on top of a password or passphrase.
3 Comments
Thanks not very helpful
Actually, the above is very useful, lots of good practice.
This is misleading information. The entire 8-character key space can be cracked in a matter of hours given a decent password cracking rig. I believe the entire 12-character key-space has also been cracked.
“System generated password standards should be at least six characters ” – This has to be a joke, System-generated passwords can only be this short if they are OTPs (one-time-passes) and can never be recycled. Service account passwords need to be 25+ characters to take into account the the progress of technology.
For user accounts, we need to focus on 14+ character passphrases, otherwise we are just wasting our time.