10 Tips to Make a Secure Password
One of the best defenses against stolen passwords is to frequently change the passwords being used. There’s always a balance between security on one hand and usability on the other, so forcing passwords changes too often can lead to an excessive burden on users. Who wants to be forced to change their passwords every few weeks? Enforcing password changes every six months provides a good balance between frequency and security.
Passwords that consist solely of traditional text characters can be easier to guess and hack by attackers. For example, a password like “waffle” can be easier for an attacker to guess using brute force methods, but something like “waff!E” would be much more difficult and time consuming to crack.
It’s a tired old joke in IT circles: Many users adopt some of the most obvious and most insecure words for their passwords, ranging from the ubiquitous “password” to using their first names, name of their company, or the brand name of the monitor they were staring at when they came up with the password. A password policy that doesn’t allow users to use common, easily guessed words like “password” can help improve security substantially.
Some of the best passwords are based on nonsensical phrases that only make sense to the user that created them. For example, if the user has a dog named Ranger that likes to catch Frisbees, creating a password like “dograngerfrisbee” will be easy for the user to remember, but hard for attackers to easily crack using brute force methods or by guessing.
In addition to comically simple passwords like “password” and “beer,” another common problem with many passwords are that they’re simply too short. “ABC” and “123” may be easy to remember, but they’re equally as easy for attackers to compromise. Enforcing a minimum password length of at least eight characters is yet another way to increase the complexity of assigned passwords.
In this era of shared cloud services, sharing a common password can be an security Achilles heel into any organization. The marketing department may be using a SurveyMonkey account to generate web surveys, but multiple users use that one account. We’ve all seen sticky notes with passwords affixed to monitors, so work with your HR department to make sure that users know the importance of keeping passwords limited to only people that needs access. If a passer-by can easily spot and use a password in a public place, you have to assume that someone with more malevolent intent could see it as well.
One of the ways that password breaches can become exponentially more damaging is if users are employing the same password on multiple services. If an attacker gains access to one service – say the corporate Facebook account – then he or she could potentially reuse that username and password combination on dozens of other cloud services.
Sometimes the best approach to password complexity issues is to use a password management services like KeePass, Kaspersky Password Manager, or LastPass. All of these password managers follow the same basic idea: Rather than having to remember all of those individual passwords, the password manager does that for you, automatically filling passwords in when needed. The only password you need to remember is the one to the password manager itself.
Outside of following all the steps described above, sometimes the most secure approach is to adopt two-factor authentication in conjunction with strong passwords. This requires users to enter a code generated by a separate application or device in order to login. These can take the form of something like RSA’s SecurID two-factor authentication token – a small hardware device that randomly generates an authentication code – to a software application, such as the two-factor authentication app that you can configure for Google Mail.
Biometric hardware has advanced significantly in the past few decades, so authentication methods which once seemed like science fiction – the ability to scan fingerprints, analyse typing patterns, or recognize a users facial features – are now a reality. One of the most widely used biometric devices is a fingerprint scanner, which does exactly what the name implies: The user swipes her fingertip across the scanner to have her fingerprint read and to gain access. Major PC hardware vendors such as Dell, HP, Toshiba, and Lenovo offer laptops with integrated fingertip scanners, and several vendors sell stand-alone scanners that can be connected to any PC.