In the arena of cyber security, passwords must serve as the first and front line of defense, for individual users and massive corporate networks alike. It can be easy to underestimate them, in this modern world of high-level encryption methods like SSL, advanced firewalls and anti-virus software solutions capable of eradicating the most intricately built malware and trojan scams. But without the initial barrier that passwords provide, recent history has borne out the fact that malicious hackers with enough determination and the right coding and exploit-creation experience can find their way into a majority of network infrastructures.
These days, because of how frequently the most essential internet functions require passwords of some sort, many average internet users know they can’t rely on the most rudimentary options. Simply put, the days of “password” and “[insert birthday here]” are over. But that doesn’t mean that those absurdly easy codes are being adequately replaced by ones that are genuinely secure.
IT and information security experts have made it clear that guidelines of thorough complexity will need to become the norm in modern personal and professional life – not necessarily just for those handling extremely sensitive corporate or government information on a regular basis. Such techniques are likely to be included in the curriculum for graduate-level cyber security classes that those with career designs on the field will end up taking, so early familiarity with the practices could be a considerable assist for prospective students.
Practices to avoid
Veteran cyber security reporter Brian Krebs, who broke news of the 2013 hack on his personal blog Krebs On Security before the mainstream media got wind of the story, effectively noted that avoiding simplicity should be one’s first step in creating a complex password. Particularly poor choices include:
- Birthdays (even partner, child or relative birthdays as opposed to one’s own).
- Social Security numbers.
- Network names (this is not Edgar Allan Poe’s “The Purloined Letter” and the hiding-in-plain-sight principle doesn’t apply).
- Passwords based on keyboard patterns (“QWERTY,” et. al.)
Additionally, in an interview with Wired, Joe Siegrist, the VP and GM of password management solution LastPass, stated that it’s extremely unwise to use the same password for multiple sites, even if you’ve steered clear of the concerns above and created a complex combination.
“Even if you have an ‘unimportant’ password and an ‘important’ password tier, it’s very unsafe,” Siegrist said. “It makes it way too easy for a hacker to attack one site and get your password to all the others.”
Special characters and positive password principles
Given that the inherent operating principle of password creation is contingent on complexity, it makes sense that special characters – ampersands, punctuation marks, brackets and so on – have risen to a rate of frequent usage in passwords created even by cyber security novices. Experts in the field generally condone this practice enthusiastically, though there are some caveats.
For example, FTC Chief Technologist Lorrie Faith Cranor said that these shouldn’t be bunched up in one part of the password but rather spread evenly throughout it. Creating a password that uses an actual word as its foundation but replaces some of its letters with special characters – a practice of the diehard gamer community called “leet speak,” or rather “L33t $p3@k” – is an excellent way to meet this goal.
Finding a balance
Krebs explained that length (number of characters) is a fundamental principle of password creation that can sometimes be forgotten. To be clear, using a diverse selection of letters, numbers and symbols is still better than going for one of the absurdly simple password options described above. But the password-cracking tools that hackers often employ – more than a few of which are available online free of charge – are designed to sift through combinations of characters, as if surveying the spinning symbols on slot-machine reels, until the right result is found. This only solidifies the necessity of well-thought-out passwords.
In a nutshell, Krebs recommends striking a balance between length and complexity. For example, one could circumvent the aforementioned guideline about not using actual words in passwords by supplementing whatever that word is with an arbitrary stew of characters and numbers. But length is key, as Mark Burnett, author of Perfect Passwords, said to Wired. He recommended using between 12 and 15 characters, or perhaps even more.
Federal password guidelines
According to the blog of anti-virus software developer Sophos, the National Institute of Standards and Technology – the Commerce Department section tasked with developing cyber security best practices for the federal government – released a number of its own password guidelines in August 2016. They generally follow the rules noted by the experts cited above, but do differ in certain instances: Eight is the NIST character minimum, not 10 or 12, and while some security professionals might not want spaces, emojis or other UNICODE characters in passwords, the agency says they can be used.
NIST’s standards are not legally binding for anyone in the private sector, but are worth examining. In summation, those looking to bolster their password efficacy would do well to carefully consider advice from all corners when making password protocol decisions.
NIST’s new password rules – what you need to know