'PA55W0RD' won't work! A guide to better password practices

Hot on the heels of Privacy Awareness Week, consider how IT departments can encourage better password practices from their users and clients.

Password management is a necessary evil. Latest figures put the average number of online accounts for an individual between 10–25, which demonstrates why so many people tend to re-use passwords.

The problem facing IT departments is maintaining a balance between forcing password changes too often and relying on users to secure unique, strong passwords in a way that doesn’t compromise organisational security.

“Often, the more often you ask someone to change their password, the weaker the passwords they typically choose,” says Professor Alan Woodward from the University of Surrey.

While purists suggest to never re-use passwords, it isn’t practical to expect most people to remember more than a dozen strong passwords or passphrases.

One strategy for coping is to educate your users and clients to consider how severe the consequences would be if a particular password were compromised. For most people, banking sites or sites that store credit card details (such as online shopping) are highly sensitive for obvious reasons; people don’t want their money stolen.

Some business applications may appear less vulnerable and therefore less likely to require strong password processes. However, innocuous applications such as business emails will often store a lot of sensitive information, and can also be used to reset the passwords for other services, so these must be treated as sensitive.

Additionally, social media sites and messaging services may also contain personal information that could be used to gain access to other accounts.

Creating strong passwords

As password re-use is virtually inevitable, make sure you encourage users at sign up stage to create a strong password. In other words, making the password as random and complex as possible makes it more difficult to be cracked.

This concept is known as password entropy and is measured in bits. Password entropy is a guide on how much effort is required to crack a password via brute-force. A password with 20 bits of entropy will be as strong as a string of 20 bits chosen randomly (via a coin toss for example).

In other words, a password with 20 bits of entropy will require 2^20 (1,048,576) attempts to exhaust all possibilities during a brute-force attack. This means adding one bit of entropy to a password doubles the number of guesses required, which makes an attacker's task twice as difficult.

Tips for recalling complex passwords or passphrases

How can one remember the potentially dozens of different passwords for each of the accounts we all have?

Password managers are software tools designed to store individual passwords encrypted with one master passphrase as the key. They have the ability to generate very complex passwords, and safely store them on your device, locally, or in the cloud. This enables your users to easily create high-entropy, individual passwords, strongly immune to brute-force and dictionary attacks, while the user only has to remember the one master password for the password manager.

Password managers typically have extensions for integrating with the popular web browsers, and may be available on mobile devices such as phones or tablets as well. Like any software, password managers may have bugs or security vulnerabilities, so is worth reading reviews and search to find out about their past history of security vulnerabilities and how they handled them.

Another issue with password managers is that if the master password is forgotten, it’s next to impossible to retrieve it, meaning all the individual passwords contained within the manager are also lost. However, memory can be a funny thing – recall can happen at any time, and muscle memory of typing the password out on the keyboard should also not be underestimated.

Common password criteria employed by most organisations and websites, typically comprises 6-8 characters, mix of upper and lowercase with numbers, and can arguably be considered woefully lacking. The natural instinct to add a “1” or “!” at the end of a password or employing “l33tspeak” in the attempt to make it more complex will not protect it against modern password cracking techniques and should be avoided at all costs.

However, these strict password criteria ultimately do nothing but annoy users and instil bad password practices. Passphrases— passwords that contain a series of uncommon, apparently random words—are typically much easier to remember for the user, and are inherently more robust due to high password entropy values.

For example, using a short phrase like “Nelson buys ugly fruit” (~ 30 bits of entropy) is better than a single word with a letter substitution such as “Duckl1ng” (less than 15 bits). However, both can be cracked quickly (hours for the phrase versus seconds for the word). It’s best to use a phrase randomly generated, such as “prove allen gown sense observe mustang” (77 bits of entropy), which have a high probability of not being cracked with tools currently in use.