On May 7 it was World Password Day. A day on which a lot of awareness about password security is shared.
A lot of good advice but unfortunately also a lot of misleading, dangerous or even bad advice. I'm sure the intentions of people sharing this advice are good but by doing so they might give others a false sense of security and weaken their online security.
Password security is one of my favorite security domains. I blog and tweet a lot about it to raise awareness. I decided to do this short write-up to bundle some password security best practices.
What is a strong password?
I saw this tweet with the usual password length vs. time to crack table.
Like I said it doesn't take 57 days to crack the password [email protected] (the o is replaced by a zero) which contains numbers, lower and uppercase characters and symbols. Because this is well known password this can be cracked instantly by using wordlists.
Password length certainly matters, but a strong password also needs to be unique and random. You should not reuse passwords across accounts. This is important because attackers will use stolen passwords - often in combination with email addresses - to try to gain access to websites or applications.
A while ago I wrote a blog that describes in detail how you can create strong passwords that fulfill all these requirements.
No, passwords are not like underwear
Often changing passwords is bad advice and leads for most users to replacing a weak password by another weak one. For instance by incrementing a number at the end or by changing Winter2019 to Spring2020.
In itself there's nothing wrong with changing a strong password into another strong one:
But let's just face it, this is not how the majority of users generate passwords.
This is why forcing regular password changes is considered a security antipattern like I describe in this blog.
You should change your password when there's proof or suspicion of compromise. One of the ways to know whether an account is hacked is by using data breach monitoring services. Check out this post in which I give an overview of different data breach monitoring services.
The endless Password management discussions
I tweeted the following a few days ago
And like always I got the typical reactions. People saying that you shouldn't write down passwords.
But like Mike replied it's how you store the written note that matters.
A problem a lot of people seem to have is that they are disconnected from reality. They don't seem to be able to put themselves in the shoes of an average user and realize that
- usability is the most imporant factor for adoption. A password manager is too difficult to use for a lot of people.
- using a password book is for many people - for instance my parents - a secure way of managing passwords given their threat model. It enables them to use different passwords for every account and attackers must steal the book from their house to get access to the passwords. This is very unlikely to happen unless you're a high value target. Burglars are typically also not interested in password books.
I've described in more detail before why a user's threat model and tech experience should be taken into account and hence password managers are not the best solution for everyone.
For less tech savvy users a browser password manager could be an option to improve their password security. But keep in mind that browser password managers don't offer the same level of security than third party password managers.
I use a password manager myself. If you want to learn more about the selection criteria I used to make my choice, do read this blogpost.
Another typical reaction is this one.
Like I describe in this post, this distrust is often based on generalization, misconceptions or not understanding the security architecture of particular password managers. People are often critical about password managers but don't realize their alternative most likely is more insecure.
Don't rely on passwords only
Enable multi-factor authentication (MFA) whenever a website of app offers it. When your password falls in the wrong hands MFA can still keep the attackers out of your account in the most cases. Make sure though that you don't lock yourself out of your accounts when enabling MFA.
I hope some of these best practices are helpful to improve your online security.