In this blog article, we’re going to be looking at the ideal password conditions, as well as other authentication methods you should be using. We’ll be covering password length & characters, passphrases, password managers, 2FA (2 Factor Authentication) and MFA (Multi-Factor Authentication). We’ll also pack in a funny little video at the end around password security, so stick around.
But first, why do we often talk about cyber security?
Well, cyber crime is only ever on the rise and cyber criminals are becoming craftier and harder to catch. It’s estimated that cyber crime has overtaken drug smuggling in terms of profitability. In an age that relies on technology, it’s key to stay in the know.
Password length, cases & special characters
Here’re some common questions you may be asking or considering when it comes to the ideal password length, variation in case and/or use of special characters:
- How long should your password be?
- Should you use upper and lowercases?
- Should you be including numbers and special characters?
We’ll look at those below.
Special characters, symbols like @, £, ! and so forth, are designed to add entropy (complexity) to passwords, in theory, making them harder to crack*. By using special characters you increase the overall number of characters a brute force attacking software will have to factor in when carrying out attempts. In other words, from 26 (or 52 for upper & lower) alphabetic characters to tens more.
*Password cracking is typically carried out offline on large sums of breached data. The breached data may contain usernames, encrypted (hashed) passwords and other sensitive information. It’s the encrypted passwords hackers will try to brute force their way to knowing. Once they have the unencrypted (plaintext) passwords, combined with usernames, they can then access accounts to certain websites or sell the data on to other cyber criminals.
Upper and lower cases
Similar to special characters, upper and lower cases of letters in passwords are designed to help improve complexity. The problem is, they’re usually not used correctly.
What do we mean by this?
Most people will just make the first letter uppercase and also tack an exclamation mark (!) or an at (@) symbol to the end of their password. This is done to meet the minimum requirements of modern apps and websites that require these conditions when creating an account.
Why is this bad?
Because cyber criminals are smart. They know this. They add such variations to password dictionaries and password cracking software to factor in this when carrying out attacks.
One of the best ways to illustrate the need for a long password is via a password cracking chart like below.
As you can see, as the password length increases, it takes more time for hackers to brute force your password.
At absolute minimum, your password should be 8 characters long, but realistically you should be aiming for 12 characters.
“But a password that’s 12 characters long and has special characters is too hard to remember!” you say? Read on.
Passphrases (the path to an ideal password)
A better method of creating long, unique passwords that are hard to crack, but easy to remember is by using passphrases. Passphrases are where you conjoin 3 or 4 words together to create a long string of letters. You can throw in numbers and special characters should you wish and some websites and apps may require it.
Example of a passphrase: PenguinWallPlane
The passphrase above is 16 characters long and has upper & lower case letters. It doesn’t necessarily “need” special characters or numbers as it will take approx. 2 billion years to crack according to the chart above. Until quantum computing becomes mainstream that is…. But that’s a blog article for another time!
As you’re probably well aware, you shouldn’t use the same password for your login details across multiple websites and web apps. The reason being, if one website is hacked and the data is compromised, all of your other website accounts will be open for takings.
So, what should you do? Enter, password managers.
Password managers allow you to create strong, randomly generated passwords unique to websites & apps. They remember your password for the website so you don’t have to. You will often have one master password to administer your password manager.
The downside? The password manager could get hacked. You’d like to think they won’t or have the utmost security protocols in place, but it is possible.
We use Google Chrome’s built in password manager, but have heard good things about Dashlane. Ultimately, they’re lots of password managers out there and it’s about doing some research and finding one you’re happy with.
2 Factor and Multi-Factor authentication
2FA and MFA are slightly off on a tangent to “passwords” but still vital to the login process and your security. We’ll be looking at what they are and why you should use them.
2FA is now standard use in websites and apps that hold highly sensitive data such as in online banking. It’s the process of combining the standard username & password login with another method of proving you are who you claim to be. That secondary method of authentication will usually take the shape of one of the following:
- An SMS message to a trusted device.
- Another secure passcode or secret word.
- A finger/thumb print.
- Face ID.
We’re certain 2FA (and MFA) will be more frequent as time goes by.
Similar to 2FA, MFA, as the name suggests, involves multiple layers of authenticating oneself.
To sum up
Here’s a quick recap of what we’ve discussed:
- Have your passwords be a minimum of 12 characters.
- Passphrases are better than passwords.
- You will likely need to include special characters, numbers and upper and lower cases.
- Password managers are great at spreading the risk of password compromises.
- Use 2FA or MFA where you can, especially for things like online banking.
Lastly, avoid using objects familiar to you….
Here’s a hilarious video of people accidentally revealing their passwords on TV!