Password policies and best practices for them have changed. The days of forcing staff to change their passwords regularly are pretty much gone, along with overly complex passwords that are difficult for people to use.
Today though, recommendations for password policies have been changed to prevent staff from having to change their password periodically. People should only change their password only when they have to. This is when there has been a security incident, such as account compromise, or when they are forgotten.
Another recommendation is the length of the password. More often than not, the passwords you used to use were set to an 8 character string of numbers and letters. We now recommend the longer the better. Did you know Microsoft 365 will accept passwords as long as 256 characters? The more characters the better the password entropy.
For those Mathematically inclined… Password entropy is a measurement of how unpredictable a password is. Yes, there is a measurement for this. It is measured in bits. This value predicts how difficult a given password would be to crack through guessing, dictionary attacks, brute force cracking and other methods. If you are interested in the formula behind this, please take a look at the Password Strength Wikipedia page.
Password entropy gives you an idea of how easy a password could be cracked. Keep in mind, even though the password of “Password123” has a reasonably high entropy (47.4 bits), it is very easily guessed cracked by a dictionary attack or by a password list attack.
- < 28 bits = Very Weak; might keep out family members
- 28 – 35 bits = Weak; should keep out most people, often good for desktop login passwords
- 36 – 59 bits = Reasonable; fairly secure passwords for network and company passwords
- 60 – 127 bits = Strong; can be good for guarding financial information
- 128+ bits = Very Strong; often overkill, but it keeps us impressed
An example of what we would consider a strong password is “Y3llow-Tounge-Liz?rd-Out-Back2” (very strong – 155.2 bits). Looks easy to remember right? Thirty characters long. Much better than something like “Nbs7yGf2$whanb8yhG1*akonw09fHM” (very strong – 155 bits) isn’t it? To enhance the password security even further, try and remove the words which would appear in the dictionary. Just like the example above, Yellow have a number three instead of the e, and Lizard has a question mark instead of the a. Not a biggie for your memory, but makes the job much harder for software to guess.
So, instead of using the older complex short passwords which most people struggle to remember, like ‘*yE32@tH(aDgt’ (string – 62.7 bits), the general recommendation is to use passphrases like the one above. And it is far less likely to be written down on a sticky note stuck to the screen or under your keyboard.
So what NOT to have in your password?
- No personally significant information like Family Names, Pets etc.
- Significant information like Birthdays, Birthyear, Street Address
- Usernames or Login Names or any component of your email address
- Commonly Substituted Patters like p@ssw0rd (weak – 34.6 bits) or one23fourfivesix (strong – 62.7 bits), yes it does happen.
Also – don’t reuse passwords or use passwords obtained from any lists on the internet. Try also to refrain from testing your password strength on websites as there is the potential to retain and use that information.
As we mentioned, password entropy is just one part of the equation.
So the final suggestion from Network Alliance is to take five random words, link them together, substitute some changes and use it. For instance something like Butter^pancakes^not-Toas5-42early (very strong – 171 bits). After a few goes, you’ll remember that for a long time to come.