Quotes Icon

Andrew M.

Andrew M.

オペレーション担当副社長

"私たちは小規模な非営利団体のためにTeamPasswordを使用していますが、私たちのニーズにうまく対応しています。"

今すぐ始める

Table Of Contents

    Password Best Practices: What Makes a Strong Password?

    August 25, 20227 min read

    Password Management

    Passwords are everywhere…. Whether logging into our computers, email accounts, social media accounts, or bank accounts, passwords are used to secure our lives online and the companies we work for. Given this reality, it's vital to the security interests of our businesses and ourselves that we choose strong passwords whenever possible. In this post, I will discuss the idea of "password strength" – what it means, how it differs from complexity, how password strength applies to security, and what you can do to make your passwords more robust and easier to manage.

    Table of Contents

      Password strength vs. password complexity

      Let's start by talking about a couple of scenarios you have likely found yourself in:

      • You sign up for an account or change your password online, where the site gives you feedback regarding strength. Usually, it's symbolized by a line or dot that changes from red (weak), yellow (decent), and green (strong).
      • You sign up for an online account or change your password on an account where a certain amount of complexity is required for a password to be accepted: minimum length, maximum length, special characters, capital letters, numbers, etc.

      So, when it comes to creating passwords, what do these terms, strength, and complexity mean?

      There certainly exists some overlap between the ideas of strength and complexity in passwords. A password like P@ssw0rd might meet the complexity requirements listed above, but it certainly isn't strong. You might ask yourself, "Why isn't that a strong password? Didn't it meet complexity requirements?" 

      The short answer is that while P@ssw0rd met some arbitrary complexity requirements, it isn't a strong password because it's easy to guess, even with two letters replaced with a unique character and a number, respectively. The password features predictable substitutions, which is the beginning of why it's not a strong password, which would be awful for you if a malicious actor were to try and gain access to one of your accounts using this password. Regarding passwords and how secure they can be, there are some things we can control and others we cannot. Let's start by exploring the things you cannot control.

       

      What you can't control

      1. How online services store their users' passwords.

        When you sign up for an account with some online service, they likely will not tell you how they are keeping your account's password, and even if the sites did, you aren't able to change how. 

        Hopefully, every online service you subscribe to uses a secure password hashing algorithm to obscure your password before they store it. There are many different approaches to hashing passwords; some are more secure than others, and an essential difference between algorithms is how fast or slow they are. 

        Ideally, your password is hashed using a robust, slow algorithm because an attacker would be constrained in the number of attempts per second/minute they would be able to make if it takes for a server to verify whether a given password was correct or not. This difference in speed is another reason why having a strong password is so important: if you take the time to generate a strong password (long, difficult to guess), it will take much longer for an attacker to guess your password correctly. Unfortunately, some online services don't hash passwords at all, which means passwords are stored in plain text that can be read by anyone with access to the database where user information is stored, which leaves your password completely exposed if a malicious actor was able to get the contents of a service's passwords.

      1. How an attack is executed.

        In the last point, I referenced how an attack (something you cannot control) can affect a password's security. Hackers can employ various tools, strategies, and hardware in an attack. If an attacker can generate 10 thousand attempts per second, there is an extremely high likelihood that a hacker will crack a short but complex password in a reasonable amount of time.

      What you can control

      Now that you've seen many things you cannot control regarding passwords, let's explore what you can do to mitigate your exposure to the things you can't control.

       

      1. How passwords are generated and stored.

        A good password manager will store passwords in an encrypted state and use a robust and secure algorithm to generate passwords for you. The combination of these two things is the most straightforward step you can take to improve your overall password strength and security. For example, our password manager Team Password offers a password generation tool with options to specify password length and character sets. TeamPassword makes it easy to generate and save secure passwords for any service you use. Additionally, Team Password encrypts all passwords with a "master key" (that you set) before sending them to their servers, so no one can read them unless they have your master key.

      undefined

      1. How passwords are shared within your business. 

        One common and insecure practice that I've seen companies employ is to keep a spreadsheet of passwords to company services that are shared with everyone in the company, which is dangerous for several reasons, namely, that it doesn't allow for any granularity in who can see/use passwords in the company. Here is another area where a password manager is desirable, as it can provide essential access controls to company account passwords.

      2. Don't reuse passwords across accounts

        Because there are things we cannot control, limiting the impact of a password being leaked or stolen is essential. The best way to defend against this possibility is to use a unique password for every service that requires a password. By never reusing a password, you limit the scope of impact that a single stolen password could have on your business. 

        In many cases, when a large group of passwords is stolen, they are leaked or sold online, and you can guarantee that some attackers will take that information and try it on more services than the one from which a hacker stole the password.

      3. Use Two-factor authentication wherever possible 

        These services require users to enter the second piece of information to identify themselves. 2FA is often a series of numbers that changes every minute or so. Not all services offer this, but it should be employed wherever possible.

      What to take away:

      While we've barely scratched the surface of all the possible topics we could include when it comes to just passwords, I hope I've demonstrated the importance that passwords play in our daily life and how easily we can improve our security just by knowing what a secure password is and how to generate one. 

      I don't believe there is any one right way to create a password, but I strongly suggest using a password manager. 

      Our Team Password product offers a 14-day free trial, so if you aren't already using a password manager, I hope you'll try them. Even if you don't use a password manager, you've seen how password padding can allow you to generate memorable and secure passwords.

      パスワードの安全性を高める

      パスワードを生成し、正しく管理させるための最適なソフトウェア

      TeamPassword Screenshot
      facebook social icon
      twitter social icon
      linkedin social icon
      関連記事
      Employees standing around computer discussing code

      Cybersecurity

      November 15, 202410 min read

      Creating a Company Culture for Security | 5 Actionable Insights

      Security is both a technical and cultural issue. Employees who value and promote security will prevent cyberattacks, protect ...

      CPA working at computer using password manager

      Business

      November 14, 20246 min read

      3 Best Password Managers for CPAs and Accounting Firms

      CPAs need password managers that offer security, efficiency, and affordability. Learn about top options for managing credentials, sharing ...

      username and password in green lettering

      Cybersecurity

      November 14, 202413 min read

      What Is Password Management? [Complete Guide]

      What is password management? Learn how to effectively manage your passwords with these best practices, tools, and more. ...

      最新情報をお見逃しなく!

      このような投稿をもっと読みたい方は、ブログを購読してください。

      Promotional image