Password Security Trends and Best Practices
Before we get into password best practices, lets look at a great info-graphic that my friends over at Digital Guardian put together. We have pretty bad habits when it comes to passwords. Let's review the current state of how bad password security is and take a look at how you can safeguard yourself with password best practices.
following two trends. One, computers are getting faster through the exponential growth of technology. And two, hackers are getting smarter through common hacking knowledge and software. The combination of these two trends makes it easier for hackers to crack your passwords.
Outdated password best practices
In 2003 the National Institute of Standards and Technology that changed the way we create passwords after publishing the "NIST Special Publication 800-63. Appendix A" by Bill Burr (not the comedian). His advice was to take a word, replace letters with numbers and symbols, and utilize capitalization. For example, a word like "excellent" might look like "3*c3L13^t!" – “e” becomes “3”, “x” becomes "*", the first "L" becomes capitalized and the next becomes a "1" and so forth. This made it difficult to remember passwords. Was it the first "L" or the second “L” that I exchanged for a 1? Ugh!
This is bad advice.
In 2017, the author of that document admitted that he made a mistake in giving that advice. Unfortunately, it's become a common practice for today’s hackers to use entire dictionaries and common substitutions to crack passwords.
For example, let's take our password mentioned above, "excellent". A password-cracking software might run an algorithm with the word, "excellent" to generate and test passwords like these:
(Note: Bad practice. Don't do this.)
Throw in ever increasing speeds of computer processors, and you have programs that crack these passwords very quickly.
The viral XKCD comic strip is no longer good practice
In 2011, cartoonist Randall Munroe published an XKCD comic that became quite popular. It flipped Burr's advice on its head with a cartoon that graphically showed that you could hack "Tr0ub4dor&3" (a password that could easily come out of Bill Burr's advice). The cartoon basically shows how a random string of four words is more secure.
This is no longer good advice. According to security expert Bruce Schneier, "The password crackers are on to this trick." Hackers are getting smarter and their hacking programs are getting better.
Current password best practices
The best password advice that we've seen is what Schneier calls the Schneier scheme. This technique creates passwords are both secure and easy to remember. In fact, we produced a password security video for strong easy to remember passwords, that shows a method similar to the Schneier scheme. The idea is to take a unique phrase that is personal to you and isolate each of the first letters of that phrase. You end up with a password that is hard to crack for humans and computers yet easy for humans to remember.
We've searched far and wide and put together the single best practice for creating strong easy to remember passwords. Here is the result of 20+ hours of research, debate, and development all wrapped up into one 2 minute video.
Though this is still the best advice we have seen, it's only a matter of time before it too gets exploited because those two trends are never going away. Like I said, hackers are getting better; technology is getting faster.
It might be just another few years when it doesn't matter what password you have, computer algorithms will be able to crack anything. If you search online how many guesses of passwords a computer can make per second, you will get numbers in the billions and even trillions.
According to one of our own engineers, Colin Smith,
"We tend to overestimate the human factor in security because we want to expect the best of ourselves and others, but anyone has the capacity to be socially engineered or phished, anyone can have their clever/complex shared password scheme revealed in a breach, and anyone can be working on an improperly secured computer that is key-logged. These things can be trained for, but never to an infallible degree; because computer (and human) networks work through relationships of trust, one compromised account translates directly into compromising others. All this adds up to the fact that a password cannot be made safe enough on its own, neither through length nor complexity."
So what is the only solution that will beat the trends?
Two-factor authentication is more secure
Two-factor authentication is also known as dual-factor authentication. If you have more than two ways of authenticating, it’s known as multi-factor authentication.
Here’s how it works:
First, you log into a website or program. The program prompts you to send a unique, sometimes six-digit code, to your mobile phone, and then you confirm that code in the program itself. It requires you to confirm with two technology sources (the password & your mobile device) before you can log in.
Also, it doesn’t have to be just a password and mobile device. It can work with a number of different combinations to be considered two-factor authentication.
Combinations may look like:
- Password + mobile phone text message
- Password + app on a mobile phone (like AuthAnvil)
- Password + email address
- Password + physical key
- Password + thumbprint
- Password + eye scanner (if you are James Bond)
You get the picture.
How to protect yourself from password hackers
- Create your own unique password policy that looks something like the one outlined in the embedded Quick Tip video on passwords. And use this for your master password with a password manager, like 1Password or LastPass.
- Opt-in for two-factor authentication with any services you use where security is critical. These include email provider, website provider, and most importantly online banking. In fact, you should enable two-factor authentication as soon as possible. If you can't figure it out online, call up your bank today and ask them how to opt-in for two-factor authentication.
- Make sure your business has a two-factor authentication policy for all password resets that are managed by your systems administrator.
- Make sure that you can trust your systems administrator. Without this, nothing else matters.
Password best practices are fading away due to the fact that hackers are getting smarter and technology is getting faster.