The first line of defense in protecting systems and users, passwords are half of a user’s credentials. The first half is user identification, followed by authentication, the password. How to construct a good password is a matter of discussion, and in this case, the best way to define a good password is to define what it is not.
A good example of what is not a good password is a common word, advice we have all heard, like "password." Even using conjunctions with your company name is not a good idea: Solarwinds123 was the password for the hack into SolarWinds, which affected many thousands of federal government systems. (However, SolarWinds recently determined that the password was for a third-party vendor application. It was not for access into the SolarWinds IT systems and had nothing to do with the attack or breach of the company's IT systems; it was still a password.)
Nevertheless, humans construct passwords or use a password manager; the discussions center around what makes for a good password, how long to keep a password, how many you need, etc. Even a password manager must have standards. A good way to look at this is to examine passwords that have been used before. This can be easy because so many passwords have been stolen and published.
In password construction, the top 20 or 50 always seem to be the same, even across nationalities. They include: password, 123456, abc123, QWERTY, Admin, and the like. As most of us know, these not-so-clever password variations have been around for a long time. The question is why people still use them; most likely, it is because they are easy and, most importantly, there are no system administration password standards that force stronger passwords.
This is a management issue. In addition, to the common list of lame passwords, there is the issue of password overload. This is the increasing number of passwords people need, so to make it simple, people use the same password for many functions, the same one for online banking and Amazon. Another interesting fact is that passwords tend to be specific to user culture. English speakers will use English letters, numbers, and common special characters, as Spanish speakers will use Spanish letters with accents, numbers, etc. Each group will be slightly different, with a defined character set of 72 to 100 characters.
Hive Systems' password cracking study used a 650-character set to establish the timelines to crack a password. That means your password will take much less time to crack if you are not taking advantage of these 650 characters, including Cyrillic, Symbols, and Latin extensions.
In addition, people use common names; a mild generalization is that men tend to use sports teams and athletes in their passwords. Women tend to use children, grandchildren, and pet names in their passwords. How could you guess what words to use? Go to their Facebook page.
Age is also a factor in password construction: People older than 60 tend to use the same password for many functions.
The summary is obvious, do not use the expected list of well-known passwords; use a unique password for every account, and use multifactor authentication (MFA) for every account you can. ForGoogle, fewer than 20 percent of users employ MFA, meaning you will be more secure by turning on MFA than the other 80 percent.
Last is complexity: The more complex, the better, and the longer, the better. There are limits to complexity, as complexity is constrained by culture and knowledge. For example, it is unlikely that readers of this will begin adding Cyrillic characters to their passwords.
Essentially, increasing password complexity and length is a defense. This is about increasing the time it takes to match the stolen hash value. There is an observation in the study that the time to crack a password decreases as processing power increases in individual systems and in the cloud. The argument is that at some point in time, the advances in computing power will make traditional passwords obsolete.
However, at the same time new hashing algorithms, salts, and other technology used to protect passwords will make passwords tougher to crack for a long time. For now, the advice is the same as it has been, use long and complex character sets, use MFA, and use different passwords for each account.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at email@example.com.