The more things change... Well, that’s really it. Security is constantly evolving to deter threats with the best way possible. Password policies have changed over the years. Remember when it was good enough to at least have a password? Then evolve to add a number like a 5 instead of an S, add a special character like @ for an A, use passphrases rather than a word and change them often. Some of those recommendations hold true, but with a little modernization.
I wrote a blog post in 2015 showing how Passwords Are Like Underwear, and it’s nice to know that for the most part, that recommendation has held up well to the test of time. You still shouldn’t leave them out where people can see them, share them, or loan them out, but current best practices are you don’t have to change them regularly (passwords, not your underwear).
Some numbers to think about
In the fall of 2021, Microsoft released data showing password cracking attempts, where hackers tried to use well known or easily guessed passwords. In some of their breaches, they included a special character to access more secure accounts. A little more than a third contained a number and none included a space (did you know a password can usually contain a space? It depends on the system though, go ahead and try it next time). So, for the most part, these attempts are really trying to get the low hanging fruit. Let that be someone else.
Current best practices
Armed with the information above, what are some current thoughts on password protection and phrases?
Make them long. No, longer than that. Microsoft data analysis showed that the highest percentage of passwords the crackers were attempting were only 6 characters. The percentages went down the longer the passwords they tried, so if you create a password or passphrase with 12 or more characters, the chances it will be cracked is very small.
Create passwords of 15-20 characters or more when using a password manager.
Remove the requirement for frequent password changes but still require changes if evidence of a compromise is found
Do not force complexity. The thinking here is the additional complexities that exist leads to a greater likelihood that you are storing them insecurely, hence potential lockouts. Personally, I think keeping numbers and uppercase is fine if you remember them.
Password/passphrase what’s the difference?
A long password is hard to remember and easier to resort to writing down. A passphrase will make sense and more likely to remember if you’re not using a password manager.
- 15 character strong password: d_j;h85SB#Jx,R*
- 22 character strong passphrase: hombre64loki12Sketched
Which one do you think you are more likely to remember, and which one will you have written on a sticky note or in a text document on your phone?
Things to avoid
The lists the bad guys are using will always evolve. Here is what not to use:
- Dates like birthdays or anniversaries
- Phone numbers
- Same password for everything/multiple systems
- “Keyboard sliding” or going from top to bottom on the keys-- 1qaz2wsx3edc
Passwords and phrases are more important than ever, and you must do the best you can to make them harder to compromise.
Make them long to be strong, make them different, don’t share them, and use a password manager. They may not be like underwear anymore, but your mom will still be happy when you follow these new recommended practices.
Is your business struggling to train employees with best practices for password protection? Reach out to CoreTech today! We’ll train staff and help you implement a password manager for your business.