Passwords are the keys that allow your employees to access your network. As a result, password security is one of the most vital aspects of your network security. Unfortunately, however, it is often one of the most overlooked elements of network security.
Despite the fact that 91% of internet users reportedly understand the risk of reusing passwords for multiple websites and accounts, a shocking 51% of those individuals do so anyway. And with nearly half of U.S. workers using the same passwords for personal and work accounts, it’s not surprising that 80% of data breaches in 2019 were caused by unsecure passwords.
Thankfully, there are steps you can take to bolster your network’s security. By analyzing some of the most common oversights people make when selecting a new password, Brave River Solutions came up with this list of things to avoid when creating a password.
Don’t choose a new password that is:
An exposed password refers to one that the Global Password Security organization lists as having been exposed in at least one data breach in the past. This list of exposed passwords is available to the public through various sites, such as Have I Been Pwned.
2. Too Short
There is a reason most sites require you to create a password that is at least eight characters in length or more. However, even a password that is eight characters isn’t ideal. That’s why Brave River recommends that all passwords should be greater than eight characters long.
3. Too Simple
This refers more to your choice of characters. There are four types of characters you can use in a password: symbols, numbers, upper-case letters, and lower-case letters. A password is considered too simple if it only utilizes two of the four types of characters. While password length and structure have been historically held as the only two measures of a strong password, that is simply no longer the case (and hence the reason for the next four tips).
4. Too Predictable
A randomly constructed password is better than one with an identifiable pattern. And one pattern in particular is the most common among user passwords globally and should be avoided: a word with one or more capital letters, followed by numbers, followed by symbols. For example, both MyDog2112! and thisToo991# are both examples of passwords that would be considered too predictable. It's not surprising that this is the most common pattern for passwords, as every Western language starts a sentence with an upper-case letter and ends with puncutation. Try different patterns with your passwords.
5. Not Varied Enough
A password is considered not varied when the character types are all grouped together, rather than interspersed throughout. For example, 1234ABcd!#$* is far more predictable of a password (and less secure) than 12AB!#34cd$* because the numbers, letters, and symbols in the first example are grouped together.
6. Using Common Replacements
Just because you vary the characters, doesn’t mean a password is perfect. If predictable replacements (i.e. zero instead of o, $ instead of s, @ instead of a) are the only way in which you vary your password, it is still considered too easy to crack. For example, B0$ton! is essentially no more secure a password as Boston!. It’s far more effective to mangle or intentionally misspell a word than replace letters with grapheme equivalents. Bahh$tuhhn!, for instance is relatively easy to remember, but not so easy for hackers to crack.
One rule of thumb that many people subscribe to is the longer a password, the better. While there is some truth to that statement, it’s still important to make sure that even a long password avoids the other common mistakes we covered in this article.
There are many community, academic, and industry efforts and publications on this topic. Our “Top 6” list was culled from data we have collected and analyzed as part of our efforts to improve security for our clients. If you are interested in learning more about this topic, please contact us.
Final Note and Coming soon… Strong passwords are important, but passwords alone will always pose security risks. Be on the lookout for our upcoming blog post on multi-factor authentication (MFA)!