The Last Word on Password
Ok. Maybe it's not the last word on password but this article will at least get you thinking that your current passwords are probably not good enough and you need to find a way to make them better.
The Office has a great scene on passwords in the office. The power goes out because Michael had the space heater and fan both on high and plugged into the same outlet. He was quick to fix the issue and when the power when out, the server restarted and now if anyone needed to access the server they needed to know the password. Jim informs everyone that without the server password they can't do any work. The entire office works together to "remember" the server password. Michael, the diligent boss that he is suggests the universally accepted "password" as password but that doesn't work. Dwight suggest 000000
and that doesn't work. He wants to continue trying 000001
but Jim knows that password busting solution will take too long. Pam asks if anyone remember when the password was set up and Michael says "like 8 years ago?". She thinks that maybe the password could have been a popular topic from 8 years ago like "The Lord of the Rings" movie. Jim thinks they just have to remember the IT that set it up and Michael remembers them all by their appearance. Michael remembers the password made him laugh when he heard it and it offended Pam. That spurs Kevin, Jim and Dwight to arrive a the correct, albeit politically incorrect password.
The Office is a very funny sitcom but the scary thing is most people in Offices across the globe probably use passwords that are equally insecure.
Here is a great video on how to choose a password. Computerphile is a great resource for everything computer. I'll discuss some of the key points reviewed in this video to help us arrive at the closest "perfect" password we can find.
The concept of the perfect password is a complex one. I wish I could just say never use "password" as your password but it isn't that simple.
Here are some other password tips:
- Avoid easy-to-guess passwords (like "password")
- Avoid any variation of the word "password"
- Avoid using any proper names
- Avoid simple pattern like "1234"
- Don't use your phone number
- Passwords all the same letter (Seems obvious but you'd be surprised how many people use this)
If any of your current passwords to sensitive websites violate any of the above tips, you should probably stop reading this article right now and go and change them to better passwords right now!
If you think about it using a good password is quite a conundrum. Passwords need to be long to be hard to crack but long passwords are hard if not impossible to remember. If you can't remember it, then you right it down and that opens up another security hole. If you shorten the password, you can remember it but you also have an insecure password that can be easily hacked.
Can we get rid of the password?
There is lots of research in this area but for the near future we can't get through the day without remembering passwords. Password hackers use a term called "password entropy" which is the amount of information held in a password.
Do I have a good password?
Ask yourself this question if you want to know if you have a good password:
Can the password be brute forced?
A hacker can use the equivalent of a dictionary and programming to try every password combination if your password is shorter or equal to 8 characters. So make sure you password is greater than 8 characters. If you password is 9 characters and you're using symbols (like '@', '$'...) you're probably safe from getting your password hacked from a brute force attack. But as computers get faster, this may not always be the case.
Did you know?
A hacker today can target your password at 40 billion (with a "b") hashes per second. That mean it won't take long at all to crack an 8 character password.
Don't write your password down on a piece of paper!
It is vital to remember your password but you shouldn't write it down. If someone finds that piece of paper you are in trouble.
xkcd comic
xkcd suggested the perfect password
Tr0ub4dor&3
- This looks like a good password but substituting 0 for O is a common technique and lowercase capital letters might be hard for people to figure out, computers can figure this substitution easily.
A better solution would be to choose 4 random words and tie them together like correcthorsebatterystaple
. This password could be easy for a person to remember and it is safe from brute force and dictionary attack.
To make this solution even harder to crack, choose 4 words that are very uncommon. Maybe create your own 4 words? Or use brand names like NikeOraclePumaJohnDeer
. Try to avoid using any words that are not in the top 10,000 English words.
And to make it even harder to crack, drop a random symbol like &
or _
somewhere in between one of your words. Maybe make one of the words in a different language?
HTTPS
If you are entering passwords make sure it is sent securely over the Internet, this means you need to look up in the browser address bar and make sure that you see the secure padlock (which means https instead of http its better to have the HTTPS.
Password Manager
Creating 4 strange random words every time you need a password will drive you insane and that is why you need a password manager. Now when you use a password manager you just need to remember one "really, really, good password".
Great password managers will encrypt all of your passwords in a Database. You secure that with a master password. Make sure you look into the level of encryption your password manager uses.
Now when you go to register on new sites you generate random 16 character or more passwords (make them as hard as you want) and you'll never have to remember it. You only need to remember your one master password. Make sure your master password is as crack proof as possible using some of the tips we suggested above because if your master password gets hacked, all of your passwords are exposed.
Never reuse old password!
Remember to never, ever, ever reuse old passwords. If your old passwords get leaked to the internet, hackers will try them on many sites to see if it works.
MFA
MFA or Multi-factor Authentication can help improve your security. You can tie your phone to your password (as one of the many ways to use MFA). The only way you can gain access to a website is if you have both the correct password and that person's phone. This is a huge step forward in a secure password. If you add MFA to your Password Manager, you will be much more secure.
Remember that there is no such thing as the "perfect" password. But if you use the techniques discussed in this article, your password will be FAR stronger than most.
If you are interested in making your office more secure contact Iron Cove Solutions and we can tell you how Okta can use all of the cutting edge technologies used today to make your company as secure as possible.