Passwords are necessary in the electronic information age, and most people understand the need for them: to keep other people from accessing your account(s) and information do not need access to. That makes passwords the first step of information security people are exposed to. This article lists 6 recommended security practices for using passwords.
Use a passphrase instead of a password
Passwords and passphrases serve the same purposes – authenticating you are who you say you are. Passwords are usually short in length, difficult to remember, and easier to crack. Passphrases can be easier to remember, generally longer in length, and harder to crack.
Not all systems allow the use of passphrases due to short limitations on the length of the password (such as 6-8 characters in length). If the system allows the use of long passwords, use a passphrase.
When choosing a passphrase don’t use any examples found online or in books, phrases used in common every-day speech, lyrics from songs, lines from a movie or book. Choose a phrase that has meaning to you, and if possible is a series of random words.
Use a combination of letters (upper- and lower-case), numbers, and symbols
Complexity is important. There are 26 letters in the English alphabet; a computer can generate every possible combination of a 6-character word using only lower-case letters rather fast. Adding upper-case, numbers and symbols greatly increases the range of possible values a given character can be, increasing the amount of time it would take a computer to go through every possible combination.
The longer the better
Complexity is important, but length is even more so. If your system allows for long passwords, use as long a password as possible. Every character added to your password makes it an order of magnitude more difficult to crack.
Cracking passwords using a sophisticated server or desktop can take 1 second to go through roughly 100 billion values. Cracking passwords using cloud-based massive multiprocessing clusters can go through 100 trillion values in less than a thousandth of a second.
A 6-character password using letters, numbers, and 1 symbol can be cracked in less than 1 and 1/2 minutes using a server; 0.075 seconds with cloud-based services. A 10-character password using the same complexity can be cracked in 54 years using a server; less than 3 weeks using with a cloud-based service.
Don’t use the same password on multiple systems
Data breaches happen: no system is 100% secure. If you use the same password on multiple systems, and your password is exposed during a breach, the attacker can use the same password on other systems (especially if you use the same username).
Use discretion with sites that does not contain your personal information (address, phone number, SSN, etc) if you choose to use the same password. NEVER use the same password used for your email account anywhere else. If a site is breached that contains your email account, attackers will try to access your email with that password. The attacker can then read emails, change settings/preferences, send emails from you, or lock you out of the account.
Consider a password manager
Password managers store information about an account, the username and password associated with that account, and any other additional information you want to provide (such as answers to security questions). These applications (usually) encrypt the information you store with it, requiring a master password to access it. If you forget the master password, you lose access to all the information stored in the application.
If you have dozens of accounts, trying to use different complex passwords for each is very difficult. Password managers provide the convenience of having to only remember one password – the master password.
Password managers that are installed on your device (desktop/laptop/phone) are generally more tolerable than cloud-based versions.
Avoid using browser-based password managers
Most web browsers come with built-in password managers. These managers can be protected with a master password, and every session you use the browser it will prompt you for that password. A session ends when you close the browser.
Most people that use browser-based password managers do not use a master password, meaning anyone with physical access to your computer can log-in to any of your accounts saved in the password manager.