Passwords are the basis of online authentication methods. To authenticate means to prove to a system that you are the person you claim to be. Sound kind of meta for an explanation? More concretely, when you give your name at the bank and the bank clerk asks you for an ID, this is an authentication method. Similarly, when you enter your password to access your inbox, this is a way of authenticating with your online service. Authentication, therefore, is an essential component of what is called access management.
Access management is the key to every good practice in digital security.
Like a lock on a door, the password ensures that only authorized people can access a space.
How can someone guess my password?
As mentioned, the objective of having a password is to keep it secret and protect the access to confidential or restricted data. So how can a criminal guess a password and gain access to your accounts? Unfortunately, there are many ways. Here is an overview of the ones most commonly used.
- Brute force attack: A targeted or random attack in which a hacker uses a program with the sole aim of decrypting your password. Using trial-and-error, the program tries various combinations of letters, numbers, characters, and words until it finds the right combination. For this reason, this type of attack can take a lot of time and energy. The more complicated the password, the longer and costlier the attack will be for an adversary.
- Social engineering: This is another method by which an adversary targets you specifically. To save time, they use a more “personal” approach in this attack than in a brute force attack. They will scope you out on social media and try to gather information that will allow them to make a more educated guess (your cat’s name and your birthdate) or to answer your security questions. They might also try to fool you by sending you a phishing email that asks you to reset your password.
- Service provider breach (data dump):In this situation, you are a random target because your username and password are part of a data breach. Databases with this type of information (also called data dumps) can be found on the dark web. Criminals buy them and thus obtain the usernames and, potentially, the passwords associated with millions of accounts. Are you curious to know whether your usernames have been part of a breach? Visit this site.
What makes a good password?
A good way of mitigating the risks associated with these methods of compromising data is simply to have good “password hygiene.” This hygiene involves having high-quality passwords. In this sense, an excellent password has four characteristics:
- It’s long: the more characters it has, the better it is.
- It’s complex: the more random the sequence of characters is, the harder it is for a computer to guess it in a brute force attack (the association of the words “coffee” and “cream” is not random; “coffee” and “penguin” is better).
- It’s unique: we like passwords that are unique because if the access to an account is compromised, an adversary trying the identifiers on another service will fail. Your other accounts will therefore be secure.
- It’s easy to memorize: this is the most important characteristic. It is extremely frustrating to be locked out of your account.
Some people say that it might be paradoxical to ask you to choose long, complex, and unique passwords for every account AND to memorize them. They are right.
To do this, you don’t need to become a robot with an amazing memory. The first piece of advice we can give you is to forget about the outdated notion of the password. The trend these days is the PASSPHRASE. The second piece of advice is to use a password manager. We know you’re eager to know more, but please have a little patience, we’ll discuss it a bit later...
Forget the password: the passphrase is the future!
Digital security is always a question of compromise. A good passphrase offers the best possible balance between the four characteristics mentioned earlier. While it’s hard to memorize eleven completely random characters, it might be a good idea to choose a passphrase of thirty characters that’s easier to remember.
You’ve surely heard that a strong password should have a minimum of eight characters. That’s the absolute minimum. With a passphrase, your security will improve exponentially with every added character. For example, a passphrase composed of five completely random words (“iceberg cameo complicity tribune panda”) will take an intelligence agency’s computers thousands of years to decode. On the other hand, the password “sun123” could take a mediocre hacker equipped with a laptop that’s a few years old just a few minutes to guess. It’s therefore extremely easy to improve your position significantly without too much effort.
To create the strongest passphrase possible, you can combine capital letters, numbers, and special characters. They add complexity to the recipe!
What’s important is to find the ideal balance for you between the strength of your passphrase and your ability to remember it.
This brings us to the importance of using a password manager, a key tactic of optimal access management!
What pitfalls to avoid?
When it comes to creating your passphrases, you must at all costs avoid using personal information that is publically available or on social media (your birthdate, your place of birth, your cat’s name, etc.). Song lyrics or important dates and events should also be avoided. Using this type of information will make social engineering attacks much easier.
There was a time when cybersecurity experts recommended changing passwords every six months. While this is a better approach theoretically, studies have shown that changing passwords regularly is less secure in practice. The people studied tended to lose their access more frequently and even create less secure passwords.
You’re better off relying on the strength of your passphrase and changing it only if the website or application in question has been hacked.
Why keep your passwords unique?
Your passphrase likes to be special. It should be different from one site to another.
It’s a fact: data dumps are more and more frequent. When a passphrase is reused on more than one site, this increases the risk of it being compromised.Hackers and criminals are lazy people: if a username and password are compromised, the combination will be tried out on every imaginable platform.
A good passphrase that is unique to each service is the first line of defence of effectively protecting the data stored on your various online accounts.
What are the advantages of using a password manager?
The faculty of memory is forgetful.
We know that remembering a hundred different passphrases is a colossal and unrealistic undertaking. This is why a password manager will be your most valuable ally.
We promise you; it’s definitely worth downloading an additional application for this purpose.
If you have any doubt, remember that access management is the first gateway to all kinds of attacks. With vulnerable accounts, you jeopardize your personal data and that of your partners, colleagues, or clients.
Converting to using a password manager can take a bit of time at first, but it is important and will quickly start saving you time.
Recap
- Opt for a passphrase instead of a password.
- Find the best possible balance between the length, complexity, and uniqueness of your passphrase for you to remember it.
- 8 characters is the minimum. 12 to 16 characters is good. Several words are best.
- Combine capital letters, numbers, and special characters, if possible.
- Avoid including personal information (important dates, birthday, your children’s first names, your place of birth, etc.).
- Use a password manager to help your memory.
- Change your passphrase only if it is compromised.