Three Updated Password Best Practices

Three Updated Password Best Practices


Weak passwords are a major information security issue, accounting for an astonishing 81% of hacking-related data breaches according to a recent Verizon Data Breach Investigation Report. The good news is that everyone can begin taking small steps to improve their own password security and stay safer online. Here are a few password best practices that you should be following:

Use long passwords instead of complex passwords

When you create a new password for a website or app, you’ve probably become accustomed to seeing requirements designed to make your password more complex (special characters, uppercase and lowercase letters, etc.). But modern encryption and password-cracking methods have changed over time, and now you’re actually better off with a long password rather than a short one with a lot of extra exclamation marks and numbers. Make sure all of your passwords are over 16 characters.

If a hacker steals encrypted passwords, they can try to guess them using a “brute force attack,” which runs every possible combination of letters and numbers through an encrypting function and compares the output to the encrypted passwords they stole. Modern computers can quickly crack short passwords this way. Even a “complex,” 8-character password can be cracked on an everyday computer within several days, or in seconds using a supercomputer or a botnet. A password that’s over 16 characters will take hundreds or thousands of years to crack via brute force attack, so make sure yours are at least that long.

Advanced tip: Using non-English words in a password is the second-most effective way to make it stronger, after length. Many hackers use “dictionary attacks,” where they take a list of common English words or phrases and run a brute force attack based on every combination of these phrases. Basically, if you use common English phrases in your passwords, they can be cracked much more quickly by skilled attackers. Using non-English phrases, or purely random strings of letters and numbers, will foil these attacks.

Use a password manager, despite the news

For years, security professionals have been recommending that people use password managers such as LastPass, DashLane or 1Password to save long, complex passwords for each of their accounts. This makes it easy for users to create unique passwords for each of their online accounts, since you only have to remember one password for the password manager account instead of dozens of individual passwords for every site or app. Having different passwords for each account is important so that hackers can’t get access to all your accounts if they get their hands on just one.

That said, you might be nervous about using a password manager because you’ve seen news stories about these companies being breached or vulnerabilities being found in their software. This is a legitimate concern, but at the end of the day, using a password manager is still much better for your overall password security than not using one. While some of these companies have previously experienced vulnerabilities (like any other software company), in general they respond to breaches and vulnerabilities extremely well.

For example, LastPass was breached in 2015 and new vulnerabilities were found in their software in 2016 and 2017. In 2015, they notified customers within three days of the breach and found that their users’ passwords were still safely encrypted and had not been accessed. In 2016 and 2017, they fixed the vulnerabilities in their software quickly and efficiently. And even if they are breached again, using a master password of over 16 characters as described above will make it virtually impossible for the attacker to gain access and steal your treasure trove of passwords. All in all, password manager providers do their own security quite well and we still strongly recommend that you use them.

Use Secure MFA Methods

Last year, we urged both individual users and small to midsize businesses to adopt multi-factor authentication (MFA) solutions. This provides a crucial extra layer of security beyond strong passwords. This year, we’re amending our recommendation to advise that you use a truly secure method of MFA, because not all MFA methods are created equal. The most common one, in which users receive a text message with a five- or six-digit code in order to log into a website, does have some weaknesses and it is possible for attackers to intercept the text messages. A hacker used this very method to breach Reddit in June 2018.

Instead, make sure you’re using a push notification-based MFA solution, which uses an encrypted channel to send authentication request verifications to your smartphone instead of a text. Because of how this notification is sent, it’s much more secure than a text message and equally – if not more – convenient. We’ve covered MFA security in more detail here on Secplicity in the past.


To discuss more about password best practice, why not register for Cyber Security X, Register your interest here.


View more articles here