Passwords – How to Make Sure They Are Secure

Passwords – How to Make Sure They Are Secure
ClickAway Tech Blog

Introduction:

Everybody who signs into websites or uses secure applications has passwords – probably a bunch of them. How secure are your passwords? Are you sure? This post may shake your confidence, but it will also guide you on how to create and use secure passwords.

How Easy Is It to Crack Passwords:

Websites and applications do not save your password in text form; they save a cryptographic hash of it. Passwords like “password”, a pet name, or a common word can be cracked almost instantly using a special dictionary of common password components.

The table below gives a rough idea of how much time it would take to crack a password by brute force (Courtesy of https://www.hivesystems.io/password). It was based on the time to crack a password hash using a desktop computer with a top-of-the-line graphics card and the time using cloud computer resources. At best, these are optimistic estimates.

Table of times to crack passwords 2023
2023 Password Table

Bottom Line: your current passwords probably are not strong enough.

Password Security:

Three attributes are critical to creating truly secure passwords:

  • Length
  • Randomness
  • Uniqueness

Typically, websites and application will not accept a password less than eight characters long. As passwords get longer than eight characters, they become exponentially more difficult to guess or crack. In most cases, websites and applications can accept passwords up to 64 characters long.

Truly random sequences of numbers, upper-case letters, lower-case letters, and symbols are much harder to guess or crack than passwords composed of words in a dictionary, or names and numbers that are easily discovered as associated with you. Humans are not good at creating truly random sequences, so that job is better done by a tool designed and tested for the purpose.

If the same password is used for multiple websites and applications, once hackers access it in one place, they can easily use it in other places.

Human Limitations:

Human short-term memory capability is limited. The most relevant memory capability measure when thinking about passwords is span: the number of sequential chucks of information we can hold in our short-term memory.  Span varies with the type of information to be remembered and is around seven for digits, around six for letters, and around five for words. As a side note, that’s why phone numbers are seven digits long. Long-term memories are created by transferring them from short-term memory, but only important, frequently used, and/or highly associated information is transferred. Therefore, long-term memory is even more limited than short-term memory. Since passwords are sequences of digits, letters, and symbols, our ability to remember them is quite limited.

Worse yet, we need passwords for many websites and applications, but the uniqueness requirement says each one should be different. Humans are not good at remembering a large number of such associations.

Dilemma:

Cybersecurity calls for long, random, and unique passwords. We see advice all the time telling us not to write passwords down. However, humans do better remembering a small number of short sequences that make sense (not random) – especially if they are written down. How can we resolve this direct conflict?

Password Managers:

Password managers are software applications that store, fill in, create, and manage passwords for users’ websites, online accounts, and applications. Password managers can create long, truly random, and unique passwords for you and then store them in an encrypted format. After the password manager creates a password, you will need to go to the website, account, or application and update the password to the one created by the manager. You do not need to remember those passwords. Whenever a password is required, the password manager can fill it in for you. You only need to remember one secure master password to access the manager.

There are a number of available password managers with various pros and cons. Some even have good free versions. ClickAway would be happy to discuss your particular password situation and recommend and install an appropriate tool.

Write Down Usernames and Passwords:

The common advice about not writing down credentials is more likely to prevent you from accessing your own information than preventing some bad guy from accessing it. We have to help customers recover forgotten or lost passwords all the time. Recording your credentials on paper (not a computer file) stored in a safe location will ensure that you never have to experience that problem. With a password manager, you will probably only need to write down one set of credentials.

If you decide not to use a password manager, keep a written list of credentials (both usernames and passwords) for every website, account, and application you use; keep it up to date; and store it in a safe place.

Conclusion:

Weak passwords can give bad guys access to your valuable data and accounts. Forgetting your password can deny you access to your valuable data and accounts. Why take those chances? ClickAway recommends that you install and use a password manager and that you have it create random passwords that are at least 16 characters long. Make sure the master password is itself secure. Write down your important website, account, and application credentials on paper, not a computer file, and store the document somewhere safe.