Defending the Wall: Strong Passwords


Strong passwords are an important part of maintaining accounts and of any organization’s security infrastructure. They are the first line of defense that separates the access of sensitive and confidential information from those who are permitted to view it and those who would do harm with it.  Having good password practices and policies that are enforced are an important aspect of any security posture.

Strong passwords are everyone’s responsibility.  A single access point for an attacker could be potentially dangerous to an entire organization.  While administrative passwords are important, and should always be safeguarded with strong security measures, even the basic user has the potential to be breached and used to launch further attacks.

So what is considered a strong password?  A strong password typically consists of a minimum of eight to ten characters using upper and lower-case letters, special characters, and numbers.  The most important aspect of a strong password is length, the longer the password, the stronger that it is and the harder it is to crack. While some people may choose to avoid longer passwords due to the complexity and difficulty of remembering them, a good way to create a strong password with lots of characters is to make it into a complete sentence.  Regardless of the length of the password, users should never write down or store them on any kind of accessible directory.  If password storage is needed, always use a trusted third-party password manager application such as LastPass, 1Password, or DashLane.

Password length and having lots of different elements within helps a lot, but also how they are written out can strengthen a password.  Users should avoid putting the numbers and special characters next to each other or in any kind of predictable manner. This makes it easier for attackers to figure them out.  Examples of this may be adding a number and “!” at the end of a password or a password with just the first letter capitalized and a punctuation at the end.  If the password is a complete sentence, add in a couple special characters and capital letters in it to mix things up.

Content of passwords is also important.  Users should not use passwords that contain the user’s name, “password”, or keyboard combinations like “qwerty” or “12345678”.  Users should also avoid using things that is easily relatable to the person, the organization, or that is easily guessable. Some examples of these types of things could be the names of family, friends, pets, the company’s departments, company terms or phrases, and pop culture/sports references.

Generally common words that are found in the dictionary used without forming a sentence should also be avoided.  An attacker can often crack these passwords by using a dictionary attack.  Often abbreviations of words are a good way to avoid these kinds of attacks, although acronyms that directly related to the person or company should still be avoided as they could be guessed.

With all of the above being followed to create a strong password, some users may feel that they have the perfect password that can’t be beaten! So much so that they use it on all platforms and when prompted to change it, they simply add a character at the end of it.  This should be definitely be avoided.  Every platform should have a different password. By allowing multiple accounts to share the same password it puts them all at risk if one is compromised.  Also, by simply adding additional characters to the end when prompted to change the password weakens it and makes it predictable to someone who may have gained access to the old one.

So other than instructing the users how to set up strong passwords, what should an organization include when setting up and enforce a password policy?  As an organization, there are several things that can be done to safeguard their users and to ensure that strong passwords are being used.  The first would be to perform password testing with in-line password checkers when possible.  If this is not possible, then the use of tools can be used to identify weak passwords.  Ensuring that 64-character passwords are supported is another great way to ensure that users can use passwords with appropriate length. Organizations can also set lockouts for number of failed attempts to reduces the risk of automated attacks.  Part of this policy should also be for users to never share their password over any kind of electronic media, or as said above, to never write it down.  User’s passwords should be private, and generally not shared.  The user should be aware of this and never let someone watch them put in their password. If someone is watching, they should ask them to look away when putting it in.

Lastly, while strong passwords are very important to the security of any organization, do not rely on them alone as they are only the surface level of security.  There are plenty of other safeguards that should be used when it comes to protecting accounts too. These include two-factor authentication, cryptographic credentials, or biometric identifiers.  All these things working in unison forms a strong frontline security posture for both the user’s and the organization’s accounts.