New web leaks are being reported regularly. In the last month Google uncovered what is likely the most troubling leak in 2017. So far. And we're just past halfway through March. The CloudBleed bug may have exposed passwords and other sensitive data from a multitude of sites, including major services like FitBit, Uber, and 1Password. We recommend clients change their passwords at least every six months, and immediately after discovering any vulnerabilities to your accounts.
When changing their passwords, clients often ask what the requirements are. I respond with the common minimum requirements: it must include at least two numbers, two upper case characters, and it must be a minimum of 12 characters long. Unfortunately, that question often indicates an intention to meet the minimum and no more. Although meeting those basic requirements is a good practice, the best practice is having a unique password that exceeds the minimum, that is also personal enough to remember, and that only you will know.
A lengthy string of random numbers and letters – and characters, in some cases – may make for a great password, but the cryptic combination can be difficult to remember even for the person who created it. To resolve this difficulty, we recommend using a personalized sentence or phrase as your password. We suggest this because a common way an intruder will break a password is by using a method known as a brute force attack.
Brute force attacks crack passwords by entering one password at a time, in incredibly fast succession, using a massive list of passwords drawn from a dictionary of words. These words function as generic passwords that are then configured and reconfigured to present as many variations as possible. So, for example, the word ‘password’ is presented as ‘Password’, ‘password123’, ‘PASSword’, and innumerable other versions. Given enough time, almost any password may be broken in this way. However, by using a sentence, you will greatly increase the difficulty an intruder has in guessing your password.
Here is a short list of example of passwords in increasing difficulty. Notice that, while they may be long and contain a combination of characters, each one could also have memorable significance to its owner. Note that different systems or companies have different password minimum and maximum requirements’ policies:
In addition to creating strong passwords, it helps to routinely update your passwords. There is no standard rule for length of time to retain a password, but regularly scheduled updates can help keep an account secure (opinions diverge on this point, with experts generally agreeing that the level of difficulty is far more important than the frequency of change).
Lastly, avoid using the same password for different accounts. If one password is broken, a skilled intruder may attempt to find associated accounts and test the compromised password there as well. Using an identical password would thereby make all your connected accounts vulnerable to attack.
If you'd like to talk about passwords or other ways to keep your computers and network safe, leave us a comment below or drop us a line.