- How Secure is your Password?
- What Constitutes a good Password?
- Wi-Fi Password Security
- Password Managers, are they secure?
- Recommendations for a Secure Password
Password choice is increasingly becoming an important aspect when it comes to browsing the internet safely. Each website that we visit will most likely ask for login details in order for us to gain access to premium contents. It is therefore vitally important to think carefully about the information that we provide to these websites, and in particular our choice of passwords. In this article I will discuss the significance of choosing a good password security policy and how to protect yourself by following some good security practices.
2. How Secure is Your Password?
many years ago, when computers were developing and had limited computing powers, basic password security may have been sufficient. Nowadays, due to the advent in computers technology, a complex password has become a mandatory requirement. There are many websites that present password security checker function, which enable you to test the strength of any give password. The strength of a password is given as the time required to guess (hack) the password being tested by using an average desktop computer. To give you an example, consider the following passwords and how long it takes a modern PC to guess them. Calculations were based on a password checker which was developed by the antivirus company Kaspersky.
- dog (11 sec)—Dog (5 sec)—dog123 (35 sec)—Dog123 (2 min)—Dogbark456 (3 months)
- John (1 sec)—John4536 (3 hr)—John4536! (15 days)—John4536U? (10 months)
- CaRp (2 min)—CaRp872! (12 days)—CaRp8723A? (4 years)—CaRp8723Ap?! (400 years)
It is worth mentioning here that the above quoted time for hacking a password is an estimated value based on a mathematical algorithm. Therefore, you may find some variations in this value between different websites. However, from my testing I found that the quoted website presents a good average representation for the calculation of password strength. A word of warning here, if you wish to experiment with these password checkers make sure you do not enter your real passwords for checking. Most of these websites are reputable, but nonetheless extra precautions is called for here.
Make sure that you use a unique password for every website that require a login. This is a vitally important fact and is usually overlooked by many users. The reason for this is simple; When you register with a website, your password is stored in their servers. If these servers security is compromised your password will be available publically. If you have a one password per website policy, then all you have to do is change one password for the affected site. Otherwise, you will be facing a nightmare and your only option will be to change your passwords for every website you have registered for.
3. What Constitutes a good password?
So what can we see from the above password examples; well it is clear that when you combine lowercase letters, uppercase letters, numbers and non-alphanumeric characters, you would end up with a stronger password. The more diverse the characters of the password the more difficult to guess by any mathematical algorithm. Diversity here usually referred to as password entropy, or degree of randomness. The higher the randomness the better the password. In this respect you should try to use less familiar words and non repeated characters for improved security.
So how long is a good password you may ask?
The answer to this question would be somewhat subjective. In general the longer the password the safer and more secure it is. However, from a practical perspective most organisations insist on a minimum of 8 characters including at least one lowercase, one uppercase, one number and possibly a symbol.
Please bear in mind that these recommendations are in place based on two factors:
- Current computing power which is based on today’s technology advancement.
- Easy to implement password security policy with the average user is in mind.
For the above reasons the suggested 8 characters password can only be considered as a bare minimum that is fit for today’s requirement only. If you recall our examples from the previous section, the password CaRp872!, which fits the above recommendations,would only require 12 days to be guessed by average PC. It is therefore likely that in the coming years with further enhancement in computing power, these recommendations will be reviewed with increased password complexity policy.
A more sensible approach therefore would be to invest in a more robust password security from now and avoid the need for further changes in the near future. Going back to our examples of password strengths, a 10 character password such as CaRp8723A? would require 4 years to be cracked, while the password CaRp8723Ap?! of 12 characters would require 400 years for the same purpose. As a conclusion here, a password length of (10-12) characters would be a more practical and realistic approach. In the end, as a user you must strike a balance between a good complex password and being able to remember your chosen password without the need to write your passwords everywhere and hence compromising the objective. In this regard, it is worth investing in a good password manager in order to reduce complexity and increase security.
4. Wireless (Wi-Fi) Passwords Security:
Nodaway, every household is most likely to have internet connection. This service would require you to install an internet router, or most commonly known as broadband router. These devices enable broadband services to reach our homes through some sort of cables.
The concern arises during the stage of distributing this broadband service to members of your family inside your home via wireless (Wi-Fi) communication. In the early days of wireless links, security methods were fairly limited, and initially was dependent by using WEP also known as Wireless Encryption Protocol. Later, it was found that this method of securing wireless communication was not secure enough since it was possible to crack the encryption easily. This has pushed the need for a more secure method, hence WPA was introduced in 2003. This type of encryption was improved further to WPA2 later and this can be associated with either TKIP or AES method of encryption.
Today, it is recommended to use the most secure method of Wi-Fi encryption, which is WPA2 (AES) for home users. Not only you will gain extra security by adopting this protocol, but from my experience you get more wireless bandwidth speed too. But of course this method of connection, I mean wireless, comes at a cost because of the possibility of intercepting the passwords in the air. Like we mentioned earlier in this article, this is where a good choice of password is mandatory. A good password will deter the most nosey of your neighbours or passers-by and keep your connection secure.
One extra point worth mentioning here is to use the guest feature in your router to give access to your guests and avoid compromising your password by sharing. This feature is widely available in most routers today so take advantage and set it up correctly. You can follow my other blog if you require more details on Wi-Fi Security.
5. Password managers, are they secure?
Despite its wide availability, password manager utilities has not been adopted widely by users, at least until not until recently. It seems that people are reluctant to use them and prefer to use the traditional method of listing their passwords in the good old spreadsheet files.
Password managers come in two flavours; Browser-embeded and third-party provided. As for the first type, they are generally adequate, and have improved over the years. However, third-party password managers tend to offer extra useful features such as; two-factor authentication, password strength check, auto fill additional forms such as those for banks and flexible options for backup locations. However there is one feature that requires your attention. Some of these password managers offer a master password option for recovery purposes. As much as it is a useful feature to enable you the recovery of your passwords in case of crisis, it does present a weakness link by providing access to all of your passwords, and a single point of failure, so use it with caution.
Make sure you choose a good third-party password manager. This should include; Two-factor authentication, easy to use, biometric integration, good backup options and sync function across your devices so you don’t need to type complex passwords on your mobile phone. The Two-Factor authentication method, Which is sometime referred to as multi-factor authentication (MFA), does add significant strength towards keeping your password secure. This is especially important in order to prevent access to your account should your password becomes compromised. PCMag have reviewed several password managers and presented a good features comparison and recommendations.
6. Recommendations for a secure password:
Below are the ten best ways to keep your password secure. Please consider every recommendation carefully for your peace of mind:
- Use a different password for every website that requires a login. This way if a website is hacked your other passwords are safe.
- Avoid using dictionary words, and any other words that are easy to guess.
- Change default username and password in devices, such as routers.
- Use a password with a mix of lowercase, uppercase, numbers and non-alphanumeric characters.
- Never use words that are associated with your family profile, such as names, date of birth and address.
- Use a password with a reasonable length of a minimum of 10 characters, which will be difficult to guess yet easy to recall.
- Do not write your password list in plain text files and store them in your computer.
- Use login with major websites like Google, Facebook, Twitter where possible. This will reduce the number of created passwords and improve security.
- Use password managers which can be a good option since these utilities encrypt all your passwords and keep them safe. Some of these tools employ the Two-Factor Authentication method (2FA) for adding an extra security layer.
- Be extra careful about using your important passwords in public Wi-Fi shared networks. This is because other users or hackers can sniff your password since they are sharing the same network with you.