In today’s digital age, where everything from banking to socialising happens online, password security is more important than ever. With cyber threats evolving rapidly, staying ahead of the curve in protecting sensitive information is important. So, what is the latest thinking in password security?
Using passwords based on strict conditions like including uppercase letters, lowercase letters, numbers, and non-standard characters was once considered a standard practice for enhancing password security. The rationale behind this approach is to increase the complexity of passwords, making them more resistant to brute force attacks, where hackers use automated tools to guess passwords by systematically trying millions of possible combinations.
However, over time, it has become evident that while these complex passwords may seem secure in theory, they often result in users resorting to predictable patterns or easily guessable variations, such as substituting ‘S’ with ‘$’ , substituting ‘5’ for ‘s’ or ‘O’ with ‘0’. Hackers also know that passwords following this formula must contain at least one non-standard character (&*^% etc), at least one number plus upper and lower case letters. Also, these complex passwords can be hard to remember, leading users to write them down (I’ve seen them on Post-It notes stuck on the side of the monitor!) or reuse them across multiple accounts, which undermines their effectiveness; as access to one password would then give access to a number of other applications.
In contrast, the concept of using three-word passwords or ‘passphrases’ has gained popularity due to a number of advantages it offers in terms of both security and usability:
- Ease of Remembering: Passphrases are easier to remember compared to random strings of characters. Instead of struggling to recall a complex combination of letters, numbers, and symbols, users can create a passphrase consisting of three random words that hold personal significance to them. For example, “purplebutterflysunshine” or “coffeehouseguitar.”
- Length and Entropy: Passphrases tend to be longer than traditional passwords, providing a higher level of entropy, which is a measure of randomness or unpredictability. A longer passphrase composed of unrelated words can offer similar or even greater security compared to shorter, complex passwords. For example What3Words, a geocoding system that encodes geographic coordinates into three dictionary words, has a total of 64 trillion 3-word combinations from a database of 25,000 words!
- Resistance to Dictionary Attacks: Passphrases are less susceptible to dictionary attacks, where hackers attempt to crack passwords by cycling through a list of commonly used words or phrases. Since passphrases consist of multiple words, they are less likely to appear in password dictionaries or wordlists.
- Usability: Passphrases promote better user behaviour by encouraging the use of unique and memorable passwords for each account. With passphrases, users are less likely to resort to insecure practices such as password recycling or writing down passwords.
- Adaptability to Multi-factor Authentication: Passphrases can be seamlessly integrated with multi-factor authentication (MFA) mechanisms, further enhancing security by requiring an additional authentication factor alongside the passphrase.
Overall, while the traditional approach of using complex passwords with strict conditions may have been prevalent in the past, the shift towards using passphrases reflects a growing recognition of the importance of balancing security with usability. By adopting passphrases, you can create strong and memorable passwords that offer robust protection against cyber threats.
Password Managers
Password managers, such as LastPass or 1Password, are software applications which store and manage your passwords and other login information securely. They generate strong, unique passwords for each account, encrypts them, and stores them in a central location which is accessible through a single master password. This helps you maintain security without having to remember multiple complex passwords.
Using a password manager comes with a range of advantages but also disadvantages, which can be critical to consider for both personal and professional users.
Advantages
- Enhanced Security:
- Password managers generate strong, complex passwords, reducing the risk of password guessing and brute force attacks.
- They can auto-fill passwords only on legitimate sites, helping users avoid phishing sites that mimic real ones.
- Encryption: Passwords are stored in an encrypted format, making it difficult for hackers to access them.
- Convenience:
- Autofill: Password managers can automatically fill in your login credentials for you.
- Synchronisation: They often sync across multiple devices, allowing access to passwords from anywhere.
- Centralised Storage: You only need to remember one master password instead of numerous different passwords.
- Password Management:
- Password Update Reminders: Some managers can remind you to update your password periodically.
- Secure Sharing: They can securely share passwords with trusted individuals without revealing the actual passwords.
- Additional Features:
- Secure Notes and Personal Information: Many password managers store other sensitive information, such as credit card details and secure notes.
- Two-Factor Authentication (2FA) Integration: They often support 2FA, adding an extra layer of security.
Disadvantages
- Single Point of Failure:
- Master Password Vulnerability: If the master password is compromised, all of your stored passwords can be accessed.
- Dependence on a Single Service: Relying on one service for your password management means a failure or breach in that service could expose all of your passwords.
- Potential for Data Breaches:
- Target for Hackers: Password managers can be prime targets for cyber attacks because they store a large number of sensitive credentials.
- Data Breach Risks: If the service experiences a data breach, even with encryption, there is a risk of exposure.
- Accessibility Issues:
- Lost Master Password: If the master password is forgotten and there is no recovery option, all stored passwords can be lost.
- Technical Issues: Problems with the software or synchronisation issues can temporarily prevent access to passwords.
So, while password managers offer significant security and convenience benefits, they also come with potential risks and costs. Think carefully and consider all the options when choosing whether to use a password manager.