Skip links

Foundations: What makes a good password?

Author: Published on: Published in: Blog
(Photo by Sergey Zolkin on Unsplash)

Objectives

Examine what attributes good passwords share by looking at how passwords are compromised. Mitigate the threats posed by each method of compromise.

Executive Summary

For anyone who came here looking for a one-word answer, this is it: length. There is a saying for passwords, length is strength. If you only take away one thing from this post, remember that a long password is a strong password. However, if you can remember two things, the other critical attribute of a good password is it must be unique.

For people with more patience, we will examine why password length and uniqueness are so important, and why some password requirements are using outdated ideas.

Password management is hard. If you struggle to come up with passwords that are easy to remember, hard to guess, and meet complexity requirements, you are not alone. How can you create and keep track of good passwords, while not reusing them anywhere? You are going to need some help from a password manager for that.

How are passwords compromised?

To help understand how to make a good password, we need to look at how passwords are compromised in the real world. Here are the common ways that bad actors can steal your passwords.

Technique #1: Exploiting the contents of a hacked database

This is especially problematic if you reuse passwords. In this scenario, your password and email address are stolen from some server somewhere. A bad actor then assumes your password might be the same somewhere else, and tries to find other online resources where you log in with that email address.

Sidebar: Special danger
If a bad actor happens to get your email password this way and gains access to your email account, they can then start resetting your passwords for every service you use, while simultaneously locking you out!

Further, if the cybercriminals who crack the database do not want to directly exploit the contents, they will put it up for sale on the black market. By the time you learn that your credentials have been compromised, the database may have already been sold several times.

Mitigation

Use unique passwords. Everywhere. This will not prevent the theft of your credentials, but will limit the extent of the damage when they are compromised in this way.

Technique #2: Phishing

In this scenario, attackers trick you into revealing your password. Most commonly, you receive a link that if clicked directs you to a website that looks like a legitimate place to enter your password. In fact, though, the website is a forgery designed to collect your current password. Attackers may also phish you to gain access to your computer to install software that can record your keystrokes. Or maybe they they just plain want to steal anything that is stored in unencrypted files.

If a password is stolen in this way, it does not matter how long or complex it is, because you have given it away. The best you can do is hope to limit the damage.

Mitigations
  1. Use unique passwords.
  2. Use a standard account for your day-to-day computing so that software cannot be installed without your consent. This is a huge discussion best left for another blog post.
  3. Use multi-factor authentication*.

Technique #3: Guessing your password because it is common

Avoid passwords on lists of common passwords.

Here are some examples: https://cybernews.com/best-password-managers/most-common-passwords/

Mitigation

Use random passphrases, such as those generated by a diceware generator, e.g.,

https://www.rempe.us/diceware/#eff

Passphrases are comprised of real words, but they are randomly generated so that you do not have to ask your brain to come up with a series of unrelated words, which brains are not very good at.

Technique #4: Brute force

Short passwords that are not on a common password list can still be cracked by a computer in short order, no matter how many random characters you throw in. While the occasional capital letter or exclamation mark might slow down a brute force attempt, if your password is only six characters long, the difference will be milliseconds.

Mitigation

Use a long, random password.

Sidebar: Websites behaving badly
One real-world challenge with long passwords is when websites do not check password length when you create your password. In this scenario, you can end up not knowing your own password because you entered, for example, 32 characters, but the website only recorded the first 20 of them.

Technique #5: Password is known by someone who can no longer be trusted

Sharing passwords is a dangerous practice, but sometimes unavoidable.

If a password must be shared, carefully consider who should know it. No matter how good your relationship is now, remember that all working relationships end one way or another.

Mitigations
  • Do not share passwords except when necessary. Whenever possible, create a unique account for each person.
  • Disable access to online resources when an employee leaves.
  • Change shared passwords when an employee leaves.

Now that we have looked at the most common ways passwords are stolen, we can look at some of the hoops you are probably forced to jump through, even when it might not be necessary.

Questionable Practice: changing passwords

If you follow the recommendations above to mitigate the common ways passwords are compromised, for most scenarios, changing passwords on a schedule becomes unnecessary. If your password is unguessable, difficult to crack, unique, and known only by you, then there is no need to ever change it unless that specific password has been compromised.

Questionable Practice: password complexity

If it would take a fast computer more than a century to crack your password, does it really need an exclamation mark? Does adding a capital letter make your password that much more secure? Let’s ask xkcd. (Spoiler alert: the answer is “no”.)

https://xkcd.com/936/

Guideline: long, unique passwords

Everything you have read to this point is all to support this one conclusion. To have the lowest chance of your passwords being compromised, make them long, and make them unique. For passwords that you need to memorize, use a diceware generator to create a long phrase.

Guideline: remembering passwords

The average employee manages 191 passwords. If you follow all these guidelines, it is impossible to keep track of them all without some help. This is how people end up reusing passwords in the first place! What is the solution? Use a password manager.

There can be a steep learning curve with a password manager, but before long you might wonder how you ever lived without it. A password manager lets you create long and complex passwords without ever having to memorize them. It does the hard part for you. All you have to do is remember how to sign into your password manager.

Password manager pricing can range from free for personal use all the way up to $10+ USD per month. Generally the price goes up the more features you need.

Sidebar: * Multi-Factor Authentication
The complementary component of protecting your online accounts is to add more authentication factors (aside from your password) that uniquely identify you, but that will be a topic for another day.

Conclusion

Passwords are hard and criminals are coming up with increasingly sneaky ways to steal them. Best practices are to:

  • create a unique password for every login,
  • make the password long, and
  • don’t share it with anyone.

To manage all those passwords, you will probably need some help.

Next Steps

If you have more questions or need help adopting a password manager in your organization, please get in touch.

Sources

https://www.sentinelone.com/blog/7-ways-hackers-steal-your-passwords/

https://krebsonsecurity.com/2021/07/the-life-cycle-of-a-breached-database/

https://blog.lastpass.com/2017/11/lastpass-reveals-8-truths-about-passwords-in-the-new-password-expose/

You may also like