Categories: Blog

Surviving the Internet – Three password tips


Surviving the Internet – Three password tips





In the online world, passwords protect who we are.



Passwords are part of our everyday lives whether we like it or not. Along with them, we get the constant concerns about choosing, remembering, associating them with websites and applications, and last but not least, protecting them. With our increased reliance on internet and devices for everyday activities, passwords hold the key to our lives – protecting intimate personal details and private communications, job-related confidential information, our social habits, our finances. In the online world, passwords protect who we are. That is why passwords are important, and acute care needs to be put into keeping them safe.

Decision #1: Strong, or easy to remember?

In theory, all passwords can be cracked, given enough time and processing power. The frightening fact is that the overwhelming majority are crackable in under 6 hours using a standard PC (according to a study conducted by Meldium). Thus, most applications and websites enforce password complexity policies to protect their users. However, the longer and more complicated a password is, the harder it is to remember it. Forgetting passwords is frustrating, and password recovery is a cumbersome process if it has to be carried out often. Which brings us to the first important decision to make, when choosing a password: how long and complex should it be? We looked at studies conducted by teams of psychologists and engineers to find out:


TIP #1:



Mnemonic-based passwords of 7-8 characters represent a good trade-off between security and memorability.

(J. Yan, A. Blackwell, R. Anderson, A. Grant, “Password Memorability and Security: Empirical Results”

How to choose secure  mnemonic-based passwords:

“Think of a memorable sentence or phrase containing at least seven or eight words. Select a letter, number, or special character to represent each word in your password. A common method is to use the first letter of every word. Ideally, the password should contain a mixture of lower case and upper case letters, numbers, punctuation, and special characters (such as ^ or %).”

(C. Kuo, S. Romanosky, L.F. Cranor, “Human Selection of Mnemonic Phrase-based Passwords”)





Phrase Password Inspiration
Four score and seven years ago, our Fathers 4s&7yaoF Quotation – Gettysburg Address
I love to ski at Seven Springs! Ilts@7S Personal Hobby
Alas, poor Yorick! I knew him, Horatio A,pY!Ikh,H Literature – “Hamlet” by Shakespeare

Decision #2: Should passwords be reused, and how much?

Pretty much everywhere we go online, we need to register: personal email, hobbies, social networks, all require an account. Add to that work-related credentials for email, login, communications and we arrive at a pretty impressive amount of accounts to manage and secure. The more accounts we have to assign a password to, the more tempted we are to reuse passwords. An impressive 65% of the people use the same password everywhere (according to a study conducted by Meldium).



TIP #2:



Do not reuse passwords!

Ways to avoid password reuse:

  1. Use password managers (with the risk of losing it all, if the master password is compromised)
  2. Choose a repeatable pattern for your password, such as choosing a sentence that incorporates something unique about the website or account, and then using the first letter of each word as your password. For example the sentence: “This is my August password for the Center for Internet Security website.” would become “TimAp4tCfISw.” (Center for Internet Security, “CYBER SECURITY TIPS NEWSLETTER”, August 2015, volume 10, Issue 8)


Decision #3: How often should passwords be changed?

Common belief is that passwords should be changed at specific time intervals in order to avoid overexposing them to attackers. Hence, most websites, applications and systems have a policy regarding password lifetime and enforce various intervals when passwords need to be changed. However, latest research argues the opposite. People choose passwords less responsibly, when forced by a password expiration policy and are more prone to write their passwords down.



TIP #3



“Organizations should weigh the costs and benefits of mandatory password expiration and consider making other changes to their password policies rather than forcing all users to keep changing their passwords.”

When to change passwords:

“If you have reason to believe your password has been stolen, you should change it, and make sure you change it on all of your accounts where you use the same or a similar password. If you shared your password with a friend, change it. If you saw someone looking over your shoulder as you were typing your password, change it. If you think you might have just given your password to a phishing website, change it. If your current password is weak, change it. If it will make you feel better or if you just feel like it’s time for a change, then by all means go ahead and change your password.”

(Lorrie Cranor, “Time to rethink mandatory password changes”, FTC Blog – summarizing the findings of various empirical studies)



Conclusion

As humans, we are bound to fail at some point when choosing passwords, in spite of good advice and evolving tools designed to help us. Password managers and two-factor authentication help reduce this risk but are not fail-proof either. Some researchers argue that the way forward is to give up using passwords completely. Read more about this approach and a comprehensive study on current authentication methods here.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

References:

“Human Selection of Mnemonic Phrase-based Passwords”;

“Password Memorability and Security: Empirical Results”;

“Cyber Security Tips Newsletter, August 2015, Volume 10, Issue 8”;

“Time to rethink mandatory password changes”;

“The Quest to Replace Passwords:A Framework for Comparative Evaluation of Web Authentication Schemes”.

This post was last modified on August 21, 2023 7:27 am

Calin Ghibu

Technical background: over 15 years experience in testing, developing, researching and managing network security solutions. Currently focusing on information security and IT management. Specialties: Network audit, information security, web security, endpoint security, perimeter security SIEM, legal compliance, competitive intelligence.

Share
Published by
Calin Ghibu
Tags: filemonitor

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023