Cyber Talk: Password Security for 2022

“Data is the new oil” is a quote lined in gold. Credited to British mathematician Clive Humbly, the quote has in recent years generated momentum, reflected in a report from The Economist titled: “The world's most valuable resource is no longer oil, but data”.

Passwords have been used to protect data since the most primitive days of computing. They act as a frontline barrier against unauthorised access to computers and any confidential or protected information within. One of the biggest dangers to a business is the threat of a weak link, stemming from an exploitable password. Exploitation of a password in this manner allows an intruder to effectively become the owner of that password and its associated account, at least in the eyes of the system – accessing any data or files that are stored under these accounts.

Well-protected business assets rely on well-built passwords – therefore a password policy that implements a level of password complexity is crucial for its baseline protection. A password policy is a set of rules designed by a business to elevate computer security by promoting the implementation of strong passwords. Many organisations enforce password policies, such as set password complexity requirements, so that employees are forced to create strong passwords and use best practices for their login credentials.

What do we mean by 'password complexity', though? The complexity of a password is based upon the number of characters included in the password and how they are distributed. A short dictionary word such as “apple” is considered a weak password, but a long, non-dictionary word including numbers, symbols, and mixed case letters such as “Tr@vel2th3Sh0p5” is considered much stronger. Some best practices for password complexity requirements include:

Figure 1 – Best Practices for Password Complexity.

However, you may be thinking at this point – 'yes, we have a password policy like this – and I hate it! Making the password too complicated means I can't remember it, and it's annoying to type!'

Unfortunately, there is some amount of this frustration that exists as a result of making a password more secure. So how do we minimise it? Let's take a randomly generated password. It may be something like “Xny92Zpul!R?”. Doesn't exactly roll off the tongue, does it? This is going to be a pain to memorise, and the final product is that either the user will forget it, or leave it plastered about their workstation on post-it notes where it's available for anyone to take – not exactly ideal or hassle-free.

Now let's compare this to a 'sentence', or 'passphrase' password. We're going to use a random (but easily memorisable) part of our life to string together a sentence: 'My dog Millie loves the park down the road'. It might seem somewhat ridiculous, but if we make a few minor adjustments to our sentence: 'MY$d0gM1LL1E!L0VESthepark?D0WNtheroad!' – you can see how this would be a nightmare to approach from the perspective of a hacker. This one is a bit of overkill as well, so we can drop it to 'MY$d0g!M1LL1E!L0VESthepark?' or something similar. Passwords with a combination of these 4-character types which span over 18 characters would take 7 quadrillion years to hack!

It's also recommended that users maintain multiple different passwords for various accounts, so that the key to all your digital locks isn't identical. However, remembering so many complicated passwords isn't exactly practical. Password managers can be used to alleviate the problem: cataloguing your passwords and producing them when you need them – while remaining protected under one well-built, encrypted master password.

Although having a password manager may seem like a no-brainer, these programs do come with some shortcomings. If you are logged into your password manager on a personal computer, a remote hack that gains access to your computer may contribute to the theft of all your passwords from the one platform. Mostly all well-established password managers prioritise security over password storage, so they log you out after a user-set time frame which is positive aspect, but at the same time can be tedious. Password managers can also be potentially more complicated to access from an external device to maximise security, so it is best to have your password manager on a biometric enabled device to have access to all your passwords under your fingertips. Finally, for the best service or when using such programs for an organisation, there may be a monetary cost. Despite these considerations, we'd still encourage you to give them a try to see if they suit your personal disposition and organisational needs.

Figure 2 – LastPass is a popular Password Managing Software.

Two-factor authentication provides an additional layer of security by adding a second step to logging in. Typically, if an unauthorized party gains access to an account's password, they can simply log in and access your data. With two-factor authentication however, even with access to your password, they would still need to acquire another piece of information (E.g. your SMS code or your one-time password (OTP)) to gain access. In this way, access to your data is protected not only by your account password, but also a (typically time-sensitive) second-factor. This can also include a biometric-access step, similar to password managers – such as your fingerprint input – for even more security. A strong and complex passphrase protected by two-factor authentication always takes precedence over individual complex passwords on multiple accounts.

Figure 3 – Evolution of Authentication Diagram courtesy of Security Magazine.

To summarise: password creation, management and use can be a hassle – but the alternative to maintaining this aspect of your security is the potential loss, ransoming or theft of all your important data. Whether you're a business or an individual, taking the time to develop a password strategy should be a top priority for securing yourself online this year. By using difficult-to-crack (but simple-to-recall) passwords, password managers, and two-factor authentication, we hope that you can find a balance of security and convenience. If you have any questions or would like to discuss any of the points further, please don't hesitate to get in touch with our team.