We’ve had a lot of questions recently about cybersecurity and changing passwords, so we thought it would be a good idea to put some information together about the best practices for protecting passwords for your business.
People often think that they’re great at passwords, but this is very rarely the case. We’ve found that most the time, when presented with two passwords and asked which is the “stronger” choice, most people actually get the wrong answer! I think this speaks volumes about how comfortable we are with passwords, when really, we should not be at all.
Your password it the key to your life. There’s more malicious people than ever, and they’re using incredibly smart, AI driven tools. You need to know how to protect yourself, and using a solid system to create the best password possible is vitally important. First, let’s take a look at some common trends in passwords that makes a hacker’s job nice and easy.
Password Patterns (Avoid These):
- 77% of passwords that have a single digit add it to the end of their password. 10% of the time, an appended digit will be a “1”. If the password has capitals, 15% of the time it will be a “1”. Adding a 1 to the end of your password has become effectively meaningless for your security!
- 35% of passwords requiring a capital letter will capitalize the first letter.
- 61% of passwords are the exact length of the minimum length set in the password policy.
Things to Keep in Mind When Creating a Password:
- Length is more important than complexity. This does not mean complexity is not important, just that length is more important. Shoot for length first, then complexity.
- Avoid common substitutions, as they are baked into password cracking rule-sets. Common substitutions include: a = @, i = !, s = $, etc. Same with adding a 1 to the end of your password and capitalizing the first character. These are common patterns, and are well-known to crackers.
- Instead of thinking “password” think “passphrase”. A single dictionary word is extremely bad. Four to five random dictionary words, perhaps separated by spaces or special characters, is robust. The benefit of a passphrase is that it is easier for you to generate entropy while still remembering your key. Generating entropy through randomized characters is hard, and results in a hard to remember password, meaning you will likely end up with less entropy.
- Avoid “password walking”. This is using a password with adjacent keyboard characters (e.g. “qwerty”, “1q2w3e4r”, “1qaz2wsx”, etc.)
- You should be using a different password for every website. At the very least, your e-mail password should be extremely strong and unique. If someone gets into your e-mail, they can simply reset every other password connected to that e-mail, regardless of how strong they are. Password re-use attacks are common. I cannot overstate the importance of this one tip.
And finally, here’s a really useful tip from popular internet webcomic xkcd: