Password protection is more important than ever. Hackers are more intelligent and wise to techniques that can be used to gain access to accounts. Meanwhile, members of the general public still use weak passwords and use the same password across multiple accounts, even when protecting valuable data or assets. Here we show you how to create secure passwords using entropy and password management.
High Entropy Passwords
The safest passwords are those with high entropy. The passwords that have the most randomness are, technically speaking, the safest and most difficult to hack. Passwords must be as close to truly random as possible in order to be secure.
Common bad passwords are those that are easy to guess. Classic examples include “123456”, “Name/DOB”, and “ADWMPTW”, which looks random at first but is actually 2-9 on the smartphone numerical pad.
Some online services force the use of capitals and numbers. The use of numbers, symbols, and other unusual characters were once quoted as a way of creating a safe password, but the problem with this approach is two-fold. The first is that the user is likely to make simple adjustments like capitalizing the first letter of the password or adding the number “1” at the end. The second is that hackers are now wiser to the use of characters to replace letters, so the “$” for an “S” no longer improves strength by any significant amount.
If using open-source programs like Zimbra, you can change the password policy to require stronger passwords. Changing the password policy ensures that you don’t generate poor passwords unknowingly.
A common misconception is that longer passwords have higher entropy. This is not necessarily true. A single word in the dictionary, no matter its length, has 16 bits of entropy. However, longer does tend to be better, as more characters make for more opportunity for randomness, and keep hackers guessing for longer.
One approach to password creation, described by former NASA scientist Randall Munroe, is to use a memorable yet random phrase or collection of words, such as “correcthorsebatteryshape”. Phrases like this typically have an entropy value of 44 bits, and make for strong passwords, while also being relatively easy to memorize. A brute force attack of 1,000 guesses per second would take 550 years to guess a password with this level of entropy.
Additional Layers Of Protection
For protecting sensitive data, accounts that involve money and assets, or indeed your password management system, it’s better not to rely on a single password for access.
Companies who have a duty to protect user accounts because of financial implications, such as Barclays bank and PokerStars sometimes offer two-step authentication options. This can involve receiving an email or text upon entering your usual password, which contains a one-time password that must also be entered to gain access to an account. Other options include an additional PIN number, or RSA token – which is a physical device that generates time-sensitive one-time-only passwords.
It’s recommended that you utilize two-step authentication whenever it is offered for account protection, or whenever you want to add an extra layer of security to protect your accounts.
In mid-2017, Google released a report that showed that their researchers had been able to sweep over 1.9 billion non-unique usernames and account passwords. The research had far-reaching implications for a number of reasons, but it showed that changing your password regularly is important, as is using different passwords for your accounts. Doing this means that all of your online accounts won’t be in danger if a single password is stolen.
We use so many online services these days that the idea of generating a strong and random password for each and every account, and actually remembering them all, seems ludicrous. Yet it is essential for online security, and this is where password management systems come into play.
Password management systems help you to generate random passwords, store the passwords with encryption, and manage passwords across multiple accounts. Microsoft has a basic password management system called Edge built into Windows 10, and Chrome and Mozilla both have basic ones too.
Paid password management software such as LastPass or DashLane is a solid choice, especially for business accounts. All you need to do is create a very secure password for your password management system, and all other passwords can be randomly generated within the software.
Password protection is essential in this age where we have online accounts for everything. High entropy passwords are the first step to protection. You should also use different passwords for each account and to keep track of them all you may want to use a password management system. Two-step authentication should be used to protect the password for your management system, or whenever you need additional security.