In our digital age of powerful automated cyberattacks, password security has moved front and center in helping protect an organization’s online assets. That’s because attackers can now check or successfully brute-force or “crack” between 10,000 to 1 billion passwords per second. In this context, human behavior needs to up its game in crafting “unpredictable” and therefore “uncrackable” passwords.
In this blog post, we will discuss some of the top password security best practices, from requirements on length, complexity, and unpredictability to any complementary measures like two-factor authentication, checklists, and some bad password practices to avoid at any rate.
Password best practices
Use a password manager
As we mentioned earlier, a password manager is a great way to generate and store strong, unique passwords for all of your online accounts. A password management tool allows you to move from highly insecure practices, such as writing down your passwords on a Post-It or into a text file, to inputting them in a centralized secure “vault” application that you only have the key to.
Use complex passwords
A good password should be at least 8 characters long. But, the longer, the better. . The reason for this is that a short password, so anything between 1 and 7 characters, can usually be brute-forced in a very short amount of time.
Your password should also be complex, which means it should contain a mix of uppercase and lowercase letters, numbers, and special characters. The more character types you use, the better. But again, if you use all those characters in a predictable pattern, like “PassWord123*!”, it will be much easier to crack.
In short, unpredictability means “randomness” in choosing your characters and character order. e.g., mnYc0l0rz!!!.
Use a password strength meter
When you create a new password, most websites these days have some kind of password strength meter. This is a great way to get feedback on whether your new password is strong enough. The general rule of thumb is that your password should be “strong” or “very strong.” That being said, as the owner of an organization, you can also implement strong password policies, including a password strength meter.
Add in two-factor authentication
Two-factor authentication (or “two-step verification”) is an extra layer of security that requires not only your password but also a code that is generated by an app on your phone or sent to you via text message. This makes it much harder for attackers to gain access to your accounts, even if they have your password.
Turn off AutoFill passwords
If you are using a password manager, there is no need to have your web browser autofill your passwords. In fact, it’s better to turn this feature off as it can be a security risk. If an attacker has access to your computer, they may be able to see all of the passwords that are stored in your web browser.
Accept automated passwords from reputable sources
Using your password manager to generate long, “random-type” passwords is one of the most secure ways to leverage autogenerated passwords. But if any free application, system, or service online can generate those random passwords harder to crack, make sure the application, system, or service you’re using is one you can trust and accept the suggested passwords from.
Do not save your passwords in your browser
When it comes to password security, one of the worst things you can do is save your passwords in your web browser. If an attacker gains access to your computer, they may be able to see all of the passwords that are stored in your web browser.
Do not reuse your passwords
One of the most important password security best practices is to never reuse passwords. If you use the same password for multiple accounts and one of those accounts is compromised, all of your other accounts will also be at risk.
Password security checklist
- Use a mix of uppercase and lowercase letters, numbers, and special characters.
- Make your passwords long and unpredictable.
- Use a password manager to generate and store strong passwords.
- Turn off AutoFill passwords in your web browser.
- Do not save your passwords in your web browser.
- Do not reuse passwords for different accounts.
- Use two-factor authentication whenever possible.
- Only accept automated passwords from reputable sources.
The use of two-factor authentication and randomly generated, longer passwords are among the top password security best practices. But strong password hygiene, to be most effective, needs to be part of an overall cybersecurity program testing all possible attack vectors against the main cyber risks threatening organizations. That’s where proactive penetration testing comes in. Testing your systems to identify and remediate, not only weak or insecure password practices, but also its vulnerabilities that could be readily exploited by attackers, will become the building block of a winning cybersecurity strategy.