Security.com

password

By Madelyn Bacon

What is a password?

A password is a string of characters used to verify the identity of a user during the authentication process. Passwords are typically used in tandem with a username; they are designed to be known only to the user and allow that user to gain access to a device, application or website. Passwords can vary in length and can contain letters, numbers and special characters.

A password is sometimes called a passphrase, when the password uses more than one word, or a passcode or passkey, when the password uses only numbers, such as a personal identification number (pin).

A password is a simple application of challenge-response authentication, using a verbal, written or typed code to satisfy the challenge request. The order and variety of characters are often what determines the difficulty, or security strength, of a given password. That is why security systems often require users to create passwords that use at least one capital letter, number and symbol. For a password to be an effective security mechanism, its details must be kept secret. Otherwise, unauthorized users could gain access to the files and securities one is trying to protect.

How to create a secure password

Passwords, when carefully created and protected, increase safe and secure interactions online and in the workplace and can prevent password cracking. To maximize the strength and efficacy of passwords, organizations often establish password policies. These policies are designed to help users create strong passwords and adopt best practices for managing login credentials. Below are a few examples of the practices that contribute to effective password management and creation:

• A minimum length of eight characters and a maximum between 16 to 64 characters. While there is no limit to the length of a password, it does reach a point of diminishing returns.
• Include both uppercase and lowercase letters with case sensitivity. This increases the number of variables at play and, therefore, its difficulty.
• Use at least one number.
• Use at least one special character.
• Avoid using easily guessed elements such as names of children, pet names and birthdays.
• Consider using a password management tool.

Examples of strong passwords

The most important components of strong passwords include sufficient length and a mix of character types. Security experts recommend using passphrases that combine several words and interchange numbers and symbols but are still fairly easy to remember. For example, the phrase "my hobby is buying shoes online" can convert to "Myho88y!$ buYing$HO3$ 0nlin3."

Security practitioners also recommend using the first letter of each word in a long sentence to create a complex string, again replacing some letters with numbers and symbols. For example, "I spend all my money in the shoe department at Nordstrom because their shoes are great" can convert to "I$@MM1TSD@N8T$AG."

Random password generators and password management tools can also produce complex passwords and remember them for users. Despite vulnerabilities that sometimes surface in password managers, the security community recommends their use.  

How to avoid weak passwords

Users and businesses should strive to eliminate common password vulnerabilities that threat actors tend to look for. With social media being more present than ever before, any recognizable personal information can be easily obtained by a persistent cybercriminal. Common weaknesses include:

• Use of the word "password"
• Sequential numbers starting from one, such as "12345678"
• Inclusion of accessible information: birthdates, names of relatives, home addresses and names of pets or children

The SolarWinds hack that emerged in late 2020 showed how cybercriminals can compromise weak passwords. Instead of performing an elaborate attack, the Russia-backed hackers simply guessed the password "solarwinds123," which proved to be the password to the company's update server. This allowed the attackers to hide a virus in SolarWinds' Orion software update, which was later shipped to its clients and compromised them as well.

How often should passwords be changed?

Strong passwords don't just depend on the code or the individual; they also depend on the expiration date. Corporate password policies often place an expiration date on their users' passcodes, forcing users to replace old passwords with new ones. Password time periods commonly span 90 to 180 days. Sophisticated password creation systems may also force users to create new passwords that don't share major similarities to their previous iterations.

Alternative methods to passwords

Passwordless authentication has emerged to help eliminate the complexities and vulnerabilities of traditional passwords. This method is especially beneficial for users on mobile devices or social platforms. Instead of creating a unique password, users receive a one-time authentication code via a text message, email or other messaging alert or service. The code allows users to log in automatically. 

Other authentication methods can also be combined with or in place of passwords. These options include:

• Two-factor authentication (2FA) -- 2FA requires users to provide two authentication factors that include a combination of something the user knows (like a password or PIN), something the user has (like an ID card, security token or smartphone) and something the user is (like a fingerprint or eye scan).
• Multifactor authentication (MFA) -- MFA is similar to 2FA except that it is not limited to only two authentication factors. It also uses something the user knows, something the user has and something the user is.
• Biometrics -- Biometric methods authenticates users based on physiological characteristics such as fingerprints or retinal scans or behavioral characteristics such as typing patterns and voice recognition.
• Tokens -- A security token is a physical hardware device like a smart card or key fob that a user carries to authorize access to a network.
• One-time passwords (OTP) -- An OTP is an automatically generated password that only authenticates a user for a single transaction or session. These passwords change for every use and are typically stored on security tokens.
• Social login -- This type of login enables users to authenticate themselves on applications or websites by connecting to social media account such as Facebook or Google instead of using a separate login for each and every site.