What makes a strong password?
There are a vast majority of compelling identity authentication and access control systems but passwords seem to play the most vital in components of system security. Passwords provide a means of protecting a system by identity management. The issue in password security lies is the lack of consistency in keeping a strong password. The analysis of the rise in password breaches shows cases how a threat actor with little or limited working knowledge of passwords is able to manipulate such a technique to get access to a legitimate user's password and gain unauthorised access.
Why do we need passwords?
Life these days largely relies on the use of passwords from logging in to our computers, to reading emails, transferring files, using funds, availing online shopping facilities or even reading specific parts of papers online. This issues a need for a strong password to access these services and to obstruct compromise of all access portals by password re-use, the need for different passwords across different services and access portals arise.
The average daily user will usually choose a simple, guessable password that is easy to memorise, which gives threat actors and identity thieves these days to take advantage of the lack of security consciousness by people. This makes it more relevant for organisations to recognise password strength security issues to sure such vulnerability is not exploited as part of low-hanging fruit.
Myths about password strength
Password strength is measured by its resistance to prevent brute-force or dictionary attacks. It is a legacy statement to include that passwords must contain special characters or numbers to be strong. Enforcing a forced change of password without a dire need is also a myth and that users should never be forced to rotate passwords, this can create a sense of pressure amongst the user to change passwords to the easiest in terms of memorisation due to enforced rotation.
To clear-out some misconceptions about password strength, it is vital to take a deep dive into what the misconceptions are:
Usage of letters, numbers and special characters
This seems to be a bit of a myth, the composition of password with these attributes can add to its complexity but these attributes alone do not contribute to the strength of a password
Enforcing forcible rotation of passwords
This can often pressure the users to change passwords regularly, which can often make the user run out of memorable passwords causing a user to set easily guessable passwords they feel fit to be memorised
Password recovery questions and being honest about them
Password recovery questions, if answered honestly can be a way for a threat actor to enumerate personal information about a user and then try to retrieve their password using a password recovery functionality. These password recovery answered should always be another password phrase which can later be stored on a password manager.
Password strength - things to consider
Apart from the myths that we discussed, it is vital to also shed light on what makes a good password with current security standards in place. The following pointers give a good reference point on what characteristics make up a strong password.
Password strength depends majorly on its length, it is vital to keep a password 10 characters or more, the theory behind this is the higher number of character in-use on the password the more complex and strong it becomes. A similar approach applies to system-generated passwords which should generate at least a 6 character password or higher to ensure security.
To further enhance this security, it is vital to configure systems in such a way that a user is able to set long passwords such as 64 character passwords, this will ensure password complexity requirements exceed their expectations and making them incredibly secure.
Using characters from the ASCII list including lowercase, uppercase, numeric, alpha-numeric and special characters in a password as a mixed-format is always a good idea to ensure the complexity of the password is at its highest.
Password entropy depends on the length and the mix characters used. So the stronger password entropy will always be a result of setting a longer password with extended use of mixed ASCII characters.
Avoiding password re-use and using a unique password for each platform in-use can prevent a threat actor from gaining access to other platforms a user has access to one of them is compromised.
A password manager is a great utility to store and manage passwords. These can have a master password to access an encrypted database of all your passwords. These password managers often come with a random password generation functionality which can be used to set long and complex passwords for different platforms and save them to the password manager to ensure robust security.
Locking out users on a small number of password attempts from a planform can be frustrating for the end-user and hence a sufficient number of password attempts will allow a user to log in successfully, although a bar needs to be set to ensure that this functionality is not abused by a threat actor, hence 10 invalid login attempts are standard industry recognised attempt factor to lockout a user.
To enhance this, 2-Factor Authentication (2FA) is a great choice, which will allow an additional layer of security for the user. If a user's password is compromised, but 2FA is deployed an attacker still needs to bypass the 2FA mechanism to compromise a user's account. 2FA also charges notifications to their users in case of an unknown location that the login attempt was made from, use of an unknown device or even an unknown browser.
Things you should NOT do
Although there are industry-wide formats and documentations to showcase what a strong password consists of, it should also be made clear of what a user should not do when trying to analyse the strength of their passwords.
People often chose to keep passwords from dictionary words, or a password concatenated with dictionary words, numerical values or sometimes the name of places, such as countries, towns or even their loved ones or people they know. This can result in an attacker trying to enumerate all this information that relates to a user and then chaining together a wordlist to attempt to compromise their password.
A user often takes an approach of setting passwords through the adjacent placing of characters on their keyboard, this can easily be compromised by an attacker. Similarly, reusing the same password you set since the previous 5 changes can also result in chances of it being compromised.
What is a good password?
A good example of a password would be something as follows:
gwgtA78UY}CarTY] (https://passwordsgenerator.net/)
The above-generated password uses a good mix of all ASCII characters and is 16-characters long, such a password can take 1 quintillion years (https://howsecureismypassword.net/) to be cracked through a brute-force attack using a high-performance machine. Setting such passwords can be a tiring task, but a similar set password is robust, complex, strong and also will comply with extremely stringer policies sometimes we across on several platforms.
A bad password on the other hand similar to the one as follows:
ireland2020
Can be possibly be retrieved by a high-performance machine in 1 month. This is primarily because it uses a country name and no special characters in the password. The length of the password is 11 characters which give is an extra padding time to be cracked, although if the same password was something similar to "crazy1" it would almost be instantly cracked by any budget machine due to the fact that it is a dictionary word combined with a numeric value, all of which all 6 characters long making it weak and an easy target.
Paraphrases or short one-liners from movies, jokes or quotes can be a good choice, converting these to an ASCII mix can make great robust long passwords. Users should make sure these are not excessively common to avoid falling victim to a dictionary attack. Something similar to "I will be back" from Arnold can be converted to a mix of ASCII of your choice, which can result in a similar example as follows:
1w1!Lb3B@cK!!@#
This is a 16-character password, with a good ASCII mix and it will take 16 billion years to solve!
What can you do to strengthen passwords
Since we now know that keeping longer passwords like 10 characters with a mix of ASCII, unique on each platform and storing them securely the key to password strength, it can be a tedious task to manage such a long list of complex passwords. Fortunately, a few tricks and techniques can ensure that this complies easily with security standards and practises without much hassle encountered by the user.
Use of password managers to store long complex passwords is a great method. Password managers allow the password database to be encrypted and added features allow generation of strong robust passwords as well.
Even with password managers, a user still needs to remember at least 1 password that they might rotate while changing them. Using a dice ware method where the user takes a paraphrase and converts it to a good mix of ASCII characters to ensure length and complexity both can be a great method to have robust passwords.
Use of 2FA does not make the password invincible, however, it prevents it from a threat actor gaining access to your password through simulated phishing or social engineering method but being prevented from its usage due to 2FA in place. Avoiding the use of phone number based 2FA and usage of an application or physical token-based 2FA is always a better go-to to ensure a user is able to make changes to their phone services without disrupting their 2FA implementation.
Last but not the least, password recovery questions are usually answered truthfully by a user, but this can be social engineered by a threat actor, for example, enumerating from a social media account of what city a user lives in and then trying to use that city as a recovery answer might aid an attacker. To prevent this it is always a good idea to treat security questions as secondary paraphrase passwords which follow a similar format to you a robust password and can be stored on a password manager.
Conclusively, whilst password security can be complex, the above techniques and procedures can make it quite simple. Using long, complex and robust passwords in conjunction with password managers, 2FA and complex password recovery answers can ensure password security and prevent compromise even where an attacker has extended computational resources to solve these.