Password Best Practices: What Makes a Strong Password?

Passwords are everywhere…. Whether logging into our computers, email accounts, social media accounts, or bank accounts, passwords are used to secure our lives online and the companies we work for. Given this reality, it's vital to the security interests of our businesses and ourselves that we choose strong passwords whenever possible. In this post, I will discuss the idea of "password strength" – what it means, how it differs from complexity, how password strength applies to security, and what you can do to make your passwords more robust and easier to manage.

Password strength vs. password complexity

Let's start by talking about a couple of scenarios you have likely found yourself in:

• You sign up for an account or change your password online, where the site gives you feedback regarding strength. Usually, it's symbolized by a line or dot that changes from red (weak), yellow (decent), and green (strong).
• You sign up for an online account or change your password on an account where a certain amount of complexity is required for a password to be accepted: minimum length, maximum length, special characters, capital letters, numbers, etc.

So, when it comes to creating passwords, what do these terms, strength, and complexity mean?

There certainly exists some overlap between the ideas of strength and complexity in passwords. A password like P@ssw0rd might meet the complexity requirements listed above, but it certainly isn't strong. You might ask yourself, "Why isn't that a strong password? Didn't it meet complexity requirements?" 

The short answer is that while P@ssw0rd met some arbitrary complexity requirements, it isn't a strong password because it's easy to guess, even with two letters replaced with a unique character and a number, respectively. The password features predictable substitutions, which is the beginning of why it's not a strong password, which would be awful for you if a malicious actor were to try and gain access to one of your accounts using this password. Regarding passwords and how secure they can be, there are some things we can control and others we cannot. Let's start by exploring the things you cannot control.

 

What you can't control

1. How online services store their users' passwords.
   
   

   When you sign up for an account with some online service, they likely will not tell you how they are keeping your account's password, and even if the sites did, you aren't able to change how. 

   Hopefully, every online service you subscribe to uses a secure password hashing algorithm to obscure your password before they store it. There are many different approaches to hashing passwords; some are more secure than others, and an essential difference between algorithms is how fast or slow they are. 

   Ideally, your password is hashed using a robust, slow algorithm because an attacker would be constrained in the number of attempts per second/minute they would be able to make if it takes for a server to verify whether a given password was correct or not. This difference in speed is another reason why having a strong password is so important: if you take the time to generate a strong password (long, difficult to guess), it will take much longer for an attacker to guess your password correctly. Unfortunately, some online services don't hash passwords at all, which means passwords are stored in plain text that can be read by anyone with access to the database where user information is stored, which leaves your password completely exposed if a malicious actor was able to get the contents of a service's passwords.

2. How an attack is executed.
   
   In the last point, I referenced how an attack (something you cannot control) can affect a password's security. Hackers can employ various tools, strategies, and hardware in an attack. If an attacker can generate 10 thousand attempts per second, there is an extremely high likelihood that a hacker will crack a short but complex password in a reasonable amount of time.
   
   

What you can control

Now that you've seen many things you cannot control regarding passwords, let's explore what you can do to mitigate your exposure to the things you can't control.

 

1. How passwords are generated and stored.
   
   A good password manager will store passwords in an encrypted state and use a robust and secure algorithm to generate passwords for you. The combination of these two things is the most straightforward step you can take to improve your overall password strength and security. For example, our password manager Team Password offers a password generation tool with options to specify password length and character sets. TeamPassword makes it easy to generate and save secure passwords for any service you use. Additionally, Team Password encrypts all passwords with a "master key" (that you set) before sending them to their servers, so no one can read them unless they have your master key.

1. How passwords are shared within your business. 
   
   

   One common and insecure practice that I've seen companies employ is to keep a spreadsheet of passwords to company services that are shared with everyone in the company, which is dangerous for several reasons, namely, that it doesn't allow for any granularity in who can see/use passwords in the company. Here is another area where a password manager is desirable, as it can provide essential access controls to company account passwords.

2. Don't reuse passwords across accounts. 
   

   Because there are things we cannot control, limiting the impact of a password being leaked or stolen is essential. The best way to defend against this possibility is to use a unique password for every service that requires a password. By never reusing a password, you limit the scope of impact that a single stolen password could have on your business. 

   In many cases, when a large group of passwords is stolen, they are leaked or sold online, and you can guarantee that some attackers will take that information and try it on more services than the one from which a hacker stole the password.

3. Use Two-factor authentication wherever possible 
   
   

   These services require users to enter the second piece of information to identify themselves. 2FA is often a series of numbers that changes every minute or so. Not all services offer this, but it should be employed wherever possible.

What to take away:

While we've barely scratched the surface of all the possible topics we could include when it comes to just passwords, I hope I've demonstrated the importance that passwords play in our daily life and how easily we can improve our security just by knowing what a secure password is and how to generate one. 

I don't believe there is any one right way to create a password, but I strongly suggest using a password manager. 

Our Team Password product offers a 14-day free trial, so if you aren't already using a password manager, I hope you'll try them. Even if you don't use a password manager, you've seen how password padding can allow you to generate memorable and secure passwords.