Over the last few years, you’ve probably heard all about the importance of using strong, unique passwords for your online accounts. But have you actually practiced doing so? Perhaps you aren’t worried about a data breach or hackers targeting you, because they only go after big companies, right?
Wrong. Very wrong. In fact, cybercriminals target thousands of small businesses and individuals on a daily basis. But whether you’re running a Fortune 500 company, a small business, or if you’re an entrepreneur or a contractor working from a home office, there is one thing all cybersecurity experts recommend and agree on — using unique passwords for all online accounts.
A strong, unique password is an effective deterrent to cybercriminals, but unfortunately, many organizations still fail to encourage their use. The main hindrance is that it can be difficult to remember different strings of random letters and numbers for the multitude of accounts we all have. It’s so much easier to simply use a few words or a phrase that’s easy to remember, for each and every account.
But that is exactly what cybercriminals count on.
In this post, I will discuss the idea of "password strength" and what you can do to make your passwords more secure and easier to manage.
Table of Contents:
What Makes a Password Strong?
A strong password is considered to be a string of at least 12 random upper and lowercase letters, numbers, and special characters such as a question mark. Many organizations now require you to create passwords conforming to these guidelines, which is good. However, they can't stop people from using that same password for multiple accounts, which is definitely not recommended.
Password strength vs. password complexity
Let's start by talking about a couple of scenarios you have likely found yourself in:
You sign up for an account or change your password online, where the site gives you feedback regarding strength. Usually, it's symbolized by a line or dot that changes from red (weak), yellow (decent), and green (strong).
You sign up for an online account or change your password on an account where a certain amount of complexity is required for a password to be accepted: minimum length, maximum length, special characters, capital letters, numbers, etc.
So, when it comes to creating passwords, what do these terms, strength, and complexity mean?
There is some overlap between strength and complexity in passwords. A password like P@ssw0rd might meet the complexity requirements listed above, but it certainly isn't strong. You might ask yourself, "Why isn't that a strong password? Didn't it meet complexity requirements?"
The short answer is that while P@ssw0rd met some arbitrary complexity requirements, it isn't a strong password because it features the type of predictable substitutions that humans employ when trying to outsmart a computer. We’ve used that exact password so much that computers know to try it (along with several hundred other common passwords) before anything else.
To better demonstrate the idea of password strength, I’ll use an example from Gibson Research Corporation’s “Password Haystack” tool: Which of the following two passwords is stronger, more secure, and more difficult to crack?
It’s a trick question. The first password is actually stronger, even though it contains a simple/common word like ‘dog’ and uses predictable substitution. I believe this example serves as a great demonstration of how password strength differs from password complexity.
The first password is stronger for a couple of reasons:
It employs “padding” in the password (that’s all of those periods at the end).
It’s one character longer than the second.
Why? It’s due to the idea of a password’s “search space,” or the number of different combinations of passwords that can be created using different character sets and a password’s length.
This number of different combinations is used to exemplify the number of “attempts” an attacker would have to make in order to crack that password; the more attempts needed, the better. It’s important to note (as the Haystack tool points out) that the padding in the example padded password isn’t great; it’s repetitive and only at the end of the password.
In theory, the first password is more secure. But if this type of padding were to become common, attackers would likely include these types of variations in the dictionaries (lists of common passwords) they use when attempting to crack a password.
How does a password get hacked? What can you do to prevent that?
A strong password is the simplest yet most powerful tool against cyberattacks. It can thwart malicious access to your personal details and protect you from fraud and other devastating consequences of a data breach.
When it comes to preventing your passwords from being hacked, there are some things you can control and others you cannot. Let's start by exploring the things you cannot control.
What you can't control
How online services store their users' passwords
Online services rarely tell you how they store your password. Even if they did, you aren’t able to change it.
Hopefully, every online service you subscribe to uses a secure password hashing algorithm to obscure your password before they store it. There are many different approaches to hashing passwords; some are more secure than others, and an essential difference between algorithms is how fast or slow they are.
Ideally, your password is hashed using a robust, slow algorithm so that an attacker is constrained in the number of attempts per second/minute they are able to make.
This difference in speed is another reason why having a strong password is so important: if you take the time to generate a strong password (long, difficult to guess), it will take much longer for an attacker to guess your password correctly.
Unfortunately, some online services don't hash passwords at all, which means passwords are stored in plain text that can be read by anyone with access to the database where user information is stored, which leaves your password completely exposed if a malicious actor was able to get the contents of a service's passwords.
How an attack is executed
Hackers can employ various tools, strategies, and hardware in an attack. If an attacker can generate 10 thousand attempts per second, there is an extremely high likelihood that a hacker will crack a short but complex password in a reasonable amount of time.
Here’s a real example: I used a random password generator to generate this password of 8 characters: 2xI5#%fX. This would be cracked in about 3 hours if an attacker were able to generate 10 thousand guesses per second. If I double the length of the password to 16 characters (t16qq*T4u*#^WtEg), it’s estimated that it would take over 100 years to crack the password at 10 thousand attempts per second. 10 thousand attempts per second may seem like a lot, but if we’re talking about an offline device, like your laptop, it’s quite possible for an attacker with the right means.
What you can control
How your passwords are generated and stored
A good password manager will store passwords in an encrypted state and use a robust and secure algorithm to generate passwords for you. The combination of these two things is the most straightforward step you can take to improve your overall password strength and security. For example, our password manager, TeamPassword, offers a password generation tool with options to specify password length and character sets. TeamPassword makes it easy to generate and save secure passwords for any service you use. Additionally, TeamPassword encrypts all passwords with a "master key" (that you set) before sending them to their servers. No one can read them without your master key.
How passwords are shared within your business
One common and insecure practice that I've seen companies employ is to keep a spreadsheet of passwords to company services that are shared with everyone in the company. It's dangerous because it lacks any granularity in who can see/use passwords in the company. This is another area where a password manager is desirable, as it can provide essential access controls to company account passwords.
4 Tips for Making a Strong Password
1. Use a Password Manager to Keep Track of your Passwords
Creating and remembering unique passwords for all these accounts is difficult. This is where your password manager comes in handy. A tool like TeamPassword keeps track of all your passwords and manages access to the different sites and apps you use.
This software stores all log-in information for all sites and accounts you use and helps you log into them automatically. The software encrypts your password database with a master password which is the only one you need to remember.
2. Use a Password Generator, or create a Passphrase
The simplest way to create a strong password is to use a password generator. However, consider creating a passphrase if you need to remember the password. Use a sequence of words that creates a funny and memorable image or are related to the product for which you’re creating it.
Even though this lacks a variety of character types, it clocks in at 33 characters which makes it an incredibly high-entropy password.
Stay away from song lyrics, famous quotes, and phrases that make sense.
3. Longer is Better: 12 Characters is a Starting Point
As we learned in the “How an attack is executed” section, simply doubling an 8-character password to 16 characters can easily 35x the amount of time it takes for a cybercriminal to crack your password.
We recommend using the longest password the service will allow. Since you’re using a password manager and your passwords are conveniently auto-filled or copy-pasted, there’s no reason not to go long.
4. Use Two-factor Authentication (2FA)
Two-factor authentication (2FA) is one of the most sophisticated data security technologies. This security system requires two unique forms of identification to access an account.
Your password is the first security factor, and the second can be biometrics using your fingerprint, face, retina, a text with a code sent to your email/smartphone, or a code on an authenticator app on your phone. For high-security applications, you can set up physical keys such as Yubikey.
The unlikely will eventually happen. Servers get hacked. Your super-strong password may get compromised. 2FA provides a lot more security for a little extra effort.
Avoid These Password Mistakes
Don’t reuse passwords across accounts
Because there are things we cannot control, limiting the impact of a password being leaked or stolen is essential. The best way to defend against this possibility is to use a unique password for every service that requires a password. By never reusing a password, you limit the scope of impact that a single stolen password could have on your business.
In many cases, when a large group of passwords is stolen, they are leaked or sold online, and you can guarantee that some attackers will take that information and try it on more services than the one from which a hacker stole the password.
Avoid Using Passwords Known to be Stolen
When in doubt, check the compromised password database haveibeenpwned.
Words and phrases such as “password,” “security”, “default”, 123456789, QWERTY, abc123, will be hacked in seconds. The easiest password combinations are also the riskiest.
Look out for information on cybercriminal activity and data breaches to stay informed regarding your information. Unfortunately, hundreds of millions of people’s account data is leaked annually.
Don't store passwords where they can be discovered
Storing your passwords in spreadsheets, emails, messaging tools, or note-taking apps are just a few ways people expose themselves to cyberattacks. Avoid these dangerous ways to store your passwords and opt for an encrypted password management tool.
How to Keep Strong Passwords Secure
Keeping individual and group-shared passwords secure can be a difficult task. Thankfully, password managers exist for this reason. Many businesses utilize a team password manager like TeamPassword as a fast, easy, and secure way for team members to share and access logins and passwords. We have a variety of password security features that keep your data safe. Protect yourself with TeamPassword today - try us for free for 14 days.