Passwordless authentication is growing in popularity and is considered the future of authentication, but for the time being, passwords are here to stay. While passwords can provide a high degree of protection, passwords can be guessed given sufficient time and computing power. The latest GPUs make short work of guessing even complex passwords, with one study by Hive Systems determining that even an 8-character password that contains a combination of upper- and lower-case letters, numbers, and symbols can be guessed in 39 minutes. Passwords of 6 or less characters can be guessed instantly regardless of the makeup of the password.
Long, complex passwords need to be created and a unique password should be set for each account. Unfortunately, the longer the password and more complex it is, the harder it is to remember. Considering the average person has more than 80 accounts that require passwords, it is no surprise that people take shortcuts on security. According to a recent survey by AT&T, 42% of respondents said they reuse the same password on multiple accounts. Worse still, 31% of respondents admitted to using a birthday as a password.
Unless you can use passwordless authentication – such as fingerprint or face-scanning technology – you will need to set passwords, and to ensure your accounts are protected and your passwords are not vulnerable to brute force guessing tactics, you should follow these password best practices.
The length of a password is important. While it was once acceptable to set a password of 8 characters, this is no longer sufficient. Increasing password length by just two characters can make a huge difference. An 8-character password can be guessed in 39 minutes, whereas a 10-character password would take 5 months. Increase it to 12 characters and it would take 202,000 years! 10 characters are now considered to be the minimum acceptable password length for security.
The first passwords to be attempted in brute force attacks are commonly used passwords – those that have been leaked from data breaches – and dictionary words, so these should be avoided. Do not use a password with 1 or ! added to the end, as while this does make the password more complex, it doesn’t add much security. Avoid using sequential numbers and letters as it makes passwords much faster to crack. You should use a combination of upper- and lower-case letters, numbers, and symbols for your passwords.
Passwords can be difficult to remember. Making them easier to remember tends to make them easier to guess. One approach to take to improve memorability is to use a combination of three or four random words. – Automobile bandit fudge – with a combination of upper- and lower-case letters, numbers, and special characters.
It is important to set a unique password for all accounts, so remembering all of those complex passwords will be impossible without taking some security shortcuts. Rather than writing passwords down, use a password manager. A password manager includes a secure password generator tool that will generate a sufficiently complex, unique password for all accounts. The passwords are encrypted and stored in a password vault and are autofilled when needed. All that is required is a strong password for the password vault. Ideally, use biometric authentication for the password vault if it is supported and you have the appropriate technology.
Avoid storing passwords in your browser. Even if your browser encrypts passwords, these are far less secure than a dedicated password manager solution such as Bitwarden or LastPass.