+44(0)1633 276003 [email protected]

Password securityPass­word secur­ity is the first — and often weak­est — line of defence against cyber-attacks. Unfor­tu­nately, pass­words are the cyber­se­cur­ity meas­ure we all love to hate.

Tech­ies take a lot of flak for imple­ment­ing pass­word secur­ity, but we didn’t invent it. Call them pass­words, PINs, keys or whatever you like — they all work the same way: a pat­tern grants access to a restric­ted resource. As such, pass­word secur­ity meas­ures have exis­ted through­out his­tory and will be around in some form for a while yet.

That said, pass­words have nev­er been as com­mon as they are today — and crack­ing them was far harder without com­puters. These days, weak pass­words only cre­ate a false sense of secur­ity. So, we all need to know how to use pass­words effect­ively.

What Makes A Strong Password

First, let’s review what makes one pass­word stronger than anoth­er:

  • Length — simple “brute-force” hack­ing meth­ods test one char­ac­ter at a time, so crack­ing long pass­words takes longer
  • Vari­ety — mix­ing cap­it­als and lower-case let­ters gives a hack­er up to 52 tests to run per char­ac­ter. Adding num­bers adds ten more tests and punc­tu­ation can help, too
  • Unpre­dict­ab­il­ity — “brute-force” attacks are inef­fi­cient, so hack­ers also test for com­mon pass­words, real words, names, pet names and dates
  • Unique­ness — re-using a pass­word just gives hack­ers a big­ger reward for crack­ing it
  • Expiry — pass­words that expire quickly only allow hack­ers a short time to crack them
  • Secrecy — shar­ing a pass­word weak­ens it, because you don’t know who else will see it. Without a writ­ten con­tract guar­an­tee­ing con­fid­en­ti­al­ity, shar­ing pass­words with work col­leagues, fam­ily and friends is rarely worth the risk. If you must do it, con­trol the situ­ation and change your pass­word straight after­wards

One fairly effect­ive approach to this is to use a pass phrase. It’s easi­er to remem­ber a long sen­tence con­tain­ing a few num­bers and punc­tu­ation than a long string of char­ac­ters. How­ever, sen­tence struc­tures and words are pre­dict­able. So, it’s bet­ter to mix them up a bit. For instance, by using just the first two or three let­ters of each word, or the first and last.

So, cre­at­ing strong pass­words isn’t that hard. At least, not com­pared to hav­ing your bank account emp­tied out, or your entire iden­tity stolen. Yet those dis­asters are still very com­mon.

So, what goes wrong?

When Good Password Security Goes Bad

Well, we’re only human. Strong pass­words are hard to remem­ber, and nowadays, we need lots of them. So, we cre­ate work­arounds, like:

  • Re-using the same pass­word on many sys­tems
  • Writ­ing pass­words down (often in eas­ily-access­ible loc­a­tions)
  • Using eas­ily-remembered and/or pre­dict­able pass­words

These weak­en pass­word secur­ity. It’s like leav­ing your front door on the latch so that you don’t have to carry a pock­et­ful of keys. There must be a bet­ter way.

Well yes, there is — and it has been around almost as long as we’ve had keys. It’s called a key­chain.

Password Managers — Modern Keychains

Mac users have had a built-in “Key­chain” app since 1999. It’s a pass­word man­ager pro­gram — and nat­ur­ally, these exist for Win­dows and oth­er oper­at­ing sys­tems, too. A good pass­word man­ager will help you cre­ate strong pass­words, then save you the trouble of remem­ber­ing them. So, why aren’t they com­mon?

Well, some feel that stor­ing all your pass­words in one place is like put­ting all your eggs in one bas­ket. Whilst this is true, it’s a lot easi­er to pro­tect one bas­ket than to juggle dozens of eggs.

So, if you prefer to keep your pass­words in-house, con­sider KeePass. It’s free and has ver­sions for most oper­at­ing sys­tems — from Win­dows to Android and even Black­berry phones. This lets you share its pass­word store across these sys­tems. It is also open-source, so secur­ity experts can audit its code if neces­sary.

If you’re happy with stor­ing your pass­words in a cloud-based sys­tem though, Last­Pass may be worth a look. This offers free and low-cost sub­scrip­tions, browser plu­gins and mobile apps. Whilst your pass­words are stored in the cloud though, only your mas­ter pass­word can unlock them. That isn’t trans­mit­ted, so decryp­tion hap­pens on the device you’re using.

Beyond Passwords

Password phishing — a form of social engineeringStrong pass­words work well for most situ­ations, but they do have lim­its. The com­put­ing power avail­able to crim­in­al hack­ers for crack­ing pass­words is increas­ing expo­nen­tially. So, a pass­word that takes 10 years to crack now may take only 5 years in two years’ time.

That’s why tech­ies have to add extra lim­its on logins, like lock­ing you out after a few typos. Con­trary to pop­u­lar belief, we’re always try­ing to make these more user-friendly. Unfor­tu­nately, things that would help you (like pre­cise error mes­sages) also tend to help crim­in­al hack­ers.

So, what are the altern­at­ives?

Well, bio­met­ric sys­tems like fin­ger­print scan­ners can work well. How­ever, enough resources and incent­ive can crack any secur­ity — and acci­dents hap­pen. That’s when the flaws appear. Unlike pass­words, bio­met­ric data can’t be changed quickly to restore secur­ity. It’s also an inher­ent part of our iden­tity. This can give hack­ers — and agen­cies who val­id­ate such data remotely — sig­ni­fic­ant con­trol over our iden­tity.

“Social logins” are now also com­mon. These let sites ask an “Iden­tity Pro­vider” like a social media plat­form to con­firm your iden­tity. Your login to the Iden­tity Pro­vider is nor­mally encryp­ted. How­ever, “social engin­eer­ing” attacks like phish­ing can bypass that pro­tec­tion. So, these sys­tems can be easi­er to hack than pass­word man­agers.

A bet­ter option, favoured by Google and oth­ers, is “Two-factor authen­tic­a­tion” (2FA). This usu­ally com­bines some­thing you know (usu­ally a PIN or pass­word) with some­thing you own. For example, a bank card, a key or short-range RFID device or a mobile phone that receives a short-lived “one-time pass­word”. This extra secur­ity may seem redund­ant, but you’ll be glad of it if someone cracks your pass­word.

Conclusion

Pass­word man­agers make strong pass­word secur­ity easy enough to use even in low-risk situ­ations. If you can’t do that, at least use a mixed-up pass phrase, with 2FA when avail­able.

This art­icle is part of a cyber­se­cur­ity series that began here. Don’t miss the next part! Use the form in the side­bar to sub­scribe to email alerts for new art­icles