Password Security Best Practices in 2020
We Keep you Connected
Concerned about protecting your financial transactions and private data stored online? A strong password policy is your front line of defense against security threats, scammers and hackers. Implementing the best password security practices is as important at work as it is at home.
You need to understand the severity that easy-to-guess passwords bring. Also no, you cannot have the same password for twenty different accounts, only because it is easy to remember. Let’s get straight to the point and go through some of the best policies that will help you create reliable, secure passwords online.
1. Character Length: There is no ideal character length for passwords. The more characters you have, the more difficult it is to crack. However, use at least 8 characters to meet the bare minimum security practice.
2. Character Type: Use a combination of ASCII characters — uppercase, lowercase, numbers, and symbols. It will narrow down the overall chances of your password being compromised. Example: XkeDZaJ3%yIOd3
3. Password Dictionaries: The password should not be listed in the popular password dictionaries. There are online tools where you can check against known password lists. Try those.
4. Password Manager: Are your passwords too long and complex to remember? Use a password manager. That should suffice.
5. Password Generators: There are random password generators available online that offer better password security.
1. Dictionary Words: Do not use words right out of the dictionary. If your passwords are meaningful, they are probably already hacked.
2. Password Change Requirements: Contrary to the popular belief, the latest NIST research discourages frequent password changes and calls it counterproductive to good security practices.
3. Pet Names: No doubt, you love your cat and it is adorable to dedicate your password after it. But, don’t! Hackers can guess it easily. The same goes for people, places, and events.
4. Password Reuse: If you are forced to change your password, do not change it from “Utopian.Knight1” to “Utopian.Knight2”. Do over, create a new one.
5. Adjacent Keyboard Strings: qwerty7894 is not a secure password. Do not use keyword patterns in any form.
1. Enforce password history policy with a minimum of 10 previous passwords remembered. This will prevent a user from re-using the previous passwords.
2. The minimum password age should be kept between 3 and 7 days.
3. Force users to generate a new password every 90 days.
4. Generally, the minimum password length is at least 8 characters long. But if you are looking for greater security, exceed the minimum length to 14 characters.
5. It should meet the expected complexity guidelines:
No username or parts of the full name should be allowed.
It should have at least 3 character types — lowercase, uppercase, numbers, and symbols.
6. Use strong passphrases for the domain admin account. Keep the length to a minimum of 15 characters.
7. For local administrators, reset password frequency should be 180 days and for a service account, it can be at least once a year.
8. Add a two-factor or multi-factor authentication system as part of your password security protocol.
9. Configure a password audit policy where users can track the changed passwords. It will ensure user accountability in case of a security breach.
10. Send notification prior to password expiry so users would know when to change their passwords.
It can be a joke, an interest or a quote from your favorite movie. You can use it to make a secure password. For instance, take the quote “Frankly, my dear, I don’t give a damn” from Gone With the Wind.
You can build a password around this by adding a few numbers: Frankly9my8dear7I6dont5give4a3damn2!
G0 @h3@d, M@k3 My Day!, *M@y tH3 F0rc3 b3 W1th y0U*, and TH3r3’5 n0 pL@c3 l1K3 h0m3_ are similar examples.
They are almost impossible to crack and much easier to understand.
1. Dictionary attacks
These are attacks on passwords that resemble words from the dictionary. They can also be the derivatives of commonly used words where letters are replaced with numeric or alphanumeric characters.
2. Brute force attack
These are attacks on passwords that have no meaning, that is, do not resemble any dictionary word. Examples include all the probable combinations from aaa1 to zzz10. The hacker will keep trying as many passwords and paraphrases as possible hoping to get lucky in the guessing game.
3. Cracking security questions
As one of the commonly used techniques of two-factor authentication as a lot of people prefer using security questions – because they are easy to remember. But then, they are also easy for hackers to crack the answers as they are mostly available on social media profiles. All they need to do is a little bit of digging.
4. Social engineering attack
Here hackers play with users’ psychology and trick them into disclosing their passwords. A common example of a social engineering attack is phishing where hackers come up with irresistible offers and manipulate users to respond to malicious links and steal their credentials.
A lot of passwords in corporate businesses are made up of words around the business itself. Savvy hackers study corporate literature and build a list of custom words to launch a brute force attack against those passwords.
Stolen and weak passwords are the most common reasons for data breaches. Experts cannot emphasize enough on the importance of using strong passwords. The sure shot formula to password security is — know what to have; understand how and why it is at risk; and take action to prevent it from happening. Bam! You have the strongest password ever.
Rakesh SoniFebruary 9, 2020