To explain why passwords are important, a simple analogy is to compare the login credentials you use to access an online account to your home. If you think of the username as being the equivalent of your physical address, the password is the key that enables you to enter the address. Similarly, the username identifies you to the website provider in the same way as a physical address would identify you to the Postal Service, but the only way you can enter the website is with your password – or “key”.
The Important of Keeping Your Key Safe
Continuing with the physical address analogy, one of the reasons for having a key to a physical address is to stop other people entering it without your permission. Consequently, you keep your key safe, you don´t share copies of it with people you don´t know, and you don´t leave the key in places where people can find it unless they have your permission to enter the physical address.
The other things to consider with keys to physical addresses is that they are complex (so the security measures protecting the physical address – or locks – are difficult to bypass), they are unique (so the same key can´t be used to enter multiple physical addresses), and you might use more than one key to prevent unauthorized access to the physical address if you are particularly security conscious.
Applying the Physical Address Analogy to Passwords
Like a key to a physical address, it is important that a password for an online account is kept safe, not shared with people you don´t know, and not left where other people can find it. So, for example, you shouldn´t write the password for your online bank account on a sticky note and leave it attached to your workstation screen in an open plan office.
Similarly, the password needs to be complex so other people can´t guess it, and unique so people don´t try common combinations of passwords to get unauthorized access into your account. With regards to using more than one key to protect the account, instead of using two passwords, you can use secondary authentication methods such as OTP Alerts and 2-Factor Authentication.
The Big Difference between Physical Addresses and Online Accounts
The big difference between the physical address analogy and passwords to online accounts is that there are more people trying to break into your online accounts than there are people trying to break into your home. Hackers can use data from social media, online shopping, and bank accounts to commit identity theft and fraud, and they can steal this data easily if they have your password.
However, rather than sneak into your office to look for sticky notes attached to workstation screens hackers use software to “guess” passwords using advanced algorithms. Some software is capable of attempting thousands of password combinations per second; so, if you are using a simple password, there is a high likelihood the account it is “protecting” could be quickly compromised.
Prevent Account Compromises by Applying These Password Best Practices
Although there are multiple sources of password best practices, the most reliable is the National Institute of Standards and Technology (NIST) as this organization develops standards used by the government to prevent unauthorized persons gaining access to federal computer systems. With regards to password best practices, NIST recommends:
- Passwords should contain a minimum of eight characters – but the longer the better (up to 64 characters) – and should be unique for each account.
- Users should create strong passwords using a combination of alphanumeric characters, special (Unicode) characters, emojis, and spaces.
- Passwords should not include dictionary words nor sequential or repeated characters and numbers (i.e., “abcd” or “1111”).
- Stored passwords should be hashed and salted to prevent hackers being able to use them if they obtain access to network systems.
- New passwords should be screened against previously compromised passwords known to be included in hacking software algorithms.
The Benefit of Using a Password Manager to Protect Accounts
One of the issues with creating strong and unique passwords for separate accounts is remembering the passwords and which accounts they apply to. Password managers can help overcome this issue by storing hashed and salted passwords in secure vaults that are only accessible to users when they enter a master password. Alternatively, password managers can be configured to autofill login credentials – provided the person trying to access the online account is an authorized user.
In addition, password managers can be used to generate new passwords in compliance with the NIST recommendations, check existing passwords against databases of previously compromised passwords, and alert users to weak or reused passwords that should be replaced with stronger, unique passwords. In most cases, password managers also synchronize with other security tools (i.e., 2-Factor Authenticators) to create a more robust online security solution.