Password complexity is a hotly debated topic. Intricate options may seem the best way to secure IT landscapes but this is negated if they are difficult for people to remember.
Keep it simple…
With that in mind, a “good” password should be generated using simple rules so it is easy to remember (it goes without saying that passwords should never be written down). For example, one common process takes the first letter from each word of a memorable sentence or song lyric, replacing them with symbols or numbers where possible, to generate a unique password that is easy to remember.
Combining two straightforward but non-related words is also a good idea, and can enable number and non-alpha character requirements to be met. It also makes the password longer, which introduces greater levels of security by virtue of the fact that the possible number of combinations of characters increases exponentially.
A password should steer clear of following an algorithmic pattern so that it cannot be “brute-forced” through machine power (whereby, based on either a list or pre-defined algorithm, a computer continually “guesses” passwords until it finds the right one). Common trends such as putting @1 at the beginning or end should also be avoided; it is easy to script, or acts as a key to decrypt the hash of the password (because “@” and “1” are recognisable, meaning there are fewer missing characters to decode).
Although passwords should be kept as simple as possible, they should never be obvious.
Despite frequent advice to the contrary, people often include personal attributes in their password, or obvious words (Monday123, Welcome1, Password!, <first name>#, etc). A rainbow table is a list of commonly used passwords and their hashed equivalent, making it easy to determine if someone is using an easily guessed system sign-in, and then deterring them from doing so.
Avoid frequent password changes
One of the reasons behind poorly chosen passwords such as those above is the need to change them frequently, meaning users often fall back on “recycling” a few favourites, or using predictable patterns such as incremental increases to any numbers that feature.
Instead of enhancing security, the password reset tactic is detrimental to it, and there is growing support for the view that a password only needs to be changed if there is a risk that it has been compromised.
Random password generation
Using password managers is a highly effective strategy. As well as providing strong random password generators (that can be tailored to the user’s need), they store passwords securely using end-to-end encryption. Various applications are available, including Dashline and 1Password by Agile Bits for example.
Requiring users to confirm their identify for every organisational system can cause them to bypass security policies in order to make life easier.
In contrast, secure single sign-on to enable full system access once their identity has been verified provides a better end-user experience, thereby reducing the threat shared passwords and user IDs.
Beyond the password
However, there is also a growing movement that believes passwords alone do not provide adequate system protection.
Aided by advances in supporting technology, many companies are looking at additional options.
Taking a risk-based approach to system access enables an enterprise to determine when more robust sign-in measures are required.
For example, a (strong) password is generally enough security when logging into email, but if the system contains sensitive data or business critical information, additional security layers should be considered.
Some examples of these include:
Multi-factor authentication (MFA) relies on something a user has (their fingerprint for example) and something they know (such as their password).
It simplifies system login while ensuring that security can continue to be applied. Other secondary mechanisms that compliment passwords include RFIDs, logon tokens and authenticator applications.
As well as the use of fingerprints above, biometrics (potentially the most secure authentication available today) includes facial and iris scanning and voice recognition.
However, it is advanced technology, and applying it for anything other than highly sensitive information is not an efficient use of time and budget.
It’s also worth noting that, in a post-GDPR world, biometric data in itself is classed as highly-sensitive, personally identifiable information. Any organisation storing it, needs to ensure that the records are controlled, secured and only used for legitimate purposes.