In cybersecurity, passwords must serve as the first line of defense for individual users and massive corporate networks alike. It can be easy to underestimate them with high-level encryption methods like SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security), advanced firewalls, and antivirus software that can eradicate the most intricately built malware and Trojan scams available. But without the initial barrier that passwords provide, recent history has borne out the fact that malicious hackers with enough determination and the right coding and exploit-creation experience can find their way into most network infrastructures.
These days, because of how frequently the most essential internet functions require passwords, the average internet user understands they cannot rely on the most rudimentary password options. The days of simple passwords — such as one’s date of birth, hometown, or consecutive numbers and letters like “1-2-3-4 or A-B-C-D — are over. But that doesn’t mean such easy codes are being replaced by ones that are genuinely secure.
IT and information security experts have made it clear that thorough guidelines will need to become the norm in modern personal and professional life — not just for those regularly handling sensitive corporate or government information. Such techniques are likely to be included in the curriculum for graduate-level cybersecurity classes, so early familiarity with the practices could be a considerable assist for prospective students.
The do’s and don’ts of password protection
Veteran cybersecurity reporter Brian Krebs, who broke news of the 2013 hack and data breach of Target Corporation on his personal blog Krebs On Security before the mainstream media got wind of the story, noted that avoiding simplicity should be one’s first step in creating a complex password. Particularly poor choices include:
- Birthdays (even partner, child, or relative birthdays as opposed to one’s own)
- Social Security numbers
- Network names
Passwords based on keyboard patterns (“QWERTY”)
Norton, a leading antivirus and anti-malware software developer, recommends the use of a password manager to store multiple usernames and passwords in a single location. This can help minimize the risk associated with physically writing this information down or re-using the same information with multiple accounts.
This method is predicated upon the use of a singular username/password combination which allows access to all the other login information contained within it. Most reputable password managers use highly secure networks to store and protect sensitive information. However, no network is 100% impenetrable.
Password management firm LastPass fell victim to a successful hacking event in 2015. Fortunately, the breach was detected early and without loss of sensitive data. However, in 2019 the Google Project Zero team discovered a vulnerability within LastPass that could have potentially left the credentials of its 16 million subscribers compromised and exposed to the dark web.
The need for extra protection during a pandemic
According to top cybersecurity and law enforcement agencies, hackers are trying to take advantage of the increased flow of information resulting from COVID-19. As more people work and conduct healthcare visits from home, it’s more important than ever to secure your network with a password that can protect your sensitive information from unwanted interdiction.
In fact, leading security experts have reported 4,000 daily cybersecurity attacks since the onset of the COVID-19. This represents an increase of 400% since the beginning of the pandemic in early 2020 alone. According to PRNewswire, “Microsoft reports that COVID-19 themed attacks, where cybercriminals get access to a system through the use of phishing or social engineering attacks, have jumped to 20,000 to 30,000 a day in the U.S. alone.”
While a strong password may not solve every security problem, it can certainly help to provide a frontline defense and firewall to limit the negative impact of hackers and other malefactors. And it only takes a few simple steps to secure one’s account through two-step verification and other security measures that can help protect your account from dark web infiltrators.
Special characters and positive password principles
Given that successful passwords depend upon complexity, it makes sense that special characters — ampersands, punctuation marks, brackets, and so on — are frequently used in passwords created even by cybersecurity novices. Experts in the field generally encourage this practice, though there are some caveats.
For example, Lorrie Faith Cranor — former chief technologist for the FTC and current director of the Carnegie Mellon Usable Privacy and Security Laboratory — said these shouldn’t be bunched up into one part of a password but rather spread evenly throughout it. Creating a password that uses an actual word as its foundation but replaces some of its letters with special characters — a practice of the diehard gamer community called “leet speak,” or rather “L33t $p3@k” — is an excellent way to meet this goal.
Finding a balance
Krebs, whose work in the cybersecurity field has been groundbreaking, explained that length (number of characters) is a fundamental principle of password creation that can sometimes be forgotten. To be clear, using a diverse selection of letters, numbers, and symbols is still better than going for one of the overly simple password options described above. But the password-cracking tools that hackers often employ — more than a few of which are available online free of charge — are designed to sift through combinations of characters until the right result is found. This only solidifies the necessity of a well-thought-out password.
In short, Krebs recommends striking a balance between length and complexity. For example, one could circumvent the previously mentioned guideline about not using actual words in passwords by supplementing whatever that word is with an arbitrary mix of characters and numbers. But length is key, as Mark Burnett, author of Perfect Passwords, said to Wired. He recommended using between 12 and 15 characters, or perhaps even more.
Federal password guidelines
According to a blog published in 2020 by password management and authentication developer Specops, the National Institute of Standards and Technology — the Commerce Department section tasked with developing cyber security best practices for the federal government — recently updated its password guidelines to “help organizations meet regulatory compliance requirements such as HIPAA and SOX.” They generally follow the rules noted by the experts cited above, but differ in certain instances: Eight is the NIST character minimum, not 10 or 12, and while some security professionals might not want spaces, emojis, or other UNICODE characters in passwords, the agency says they can be used.
NIST’s standards are not legally binding for anyone in the private sector, but are worth examining. In summation, those looking to bolster their password efficacy would do well to carefully consider advice from all corners when making password protocol decisions.
Forbes, “Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak”
Krebs on Security, “Inside Target Corp., Days After 2013 Breach”
Krebs on Security, Password Do’s and Don’ts”
PR NewsWire, Top Cyber Security Experts Report: 4,000 Cyber Attacks a Day Since COVID-19 Pandemic”
SpecOps, “NIST Password Standards”
SOPHOS, “NIST’s new password rules — what you need to know”
Wired, “7 Password Experts on How to Lock Down Your Online Security”