Love them, hate them or even just remembering them, passwords have become a badge of the modern tech age and digital ways of working. The average person has over 30 logins that require a password. Remembering them is a fun mental exercise that we all perform daily. I particularly enjoy counting on my fingers when a system asks me for letters 1, 3 and 6 of my password. (P……….S……..r.)
Recent research showed the following:
- There is a 50% chance that a password has at least one vowel
- Numbers that are used in passwords are usually the numbers ‘1’ or ‘2’ and are placed at the end of the password
- Capital letters are usually at the beginning and are followed by a vowel
- Women often use personal names for passwords
- Men often use their hobbies for passwords
- Most common symbols used are —~@#$%&?
How does your password fit that profile? The password I use for all my logins is PASSword123! Don’t worry, I change it up every three years or so and I have only shared it with a few people who I consider trustworthy friends (of friends).
The number of accounts that we all use requiring a password varies but there are many more than the users realise. The danger with this growing proliferation of passwords is that users forget just what they are protecting with these simple sequences of letters, figures and symbols.
This weariness with passwords is leading to significant issues. Password fatigue is where users will simply (if not directed by the organisation) be happy to run along with the same formula for as long as they can.
The issue is that passwords need to be as strong as possible to be as effective as possible. They should at minimum use an uncommon word but more likely a sequence of letters which don’t even resemble a word. And how do you then remember all of them? How about we write them in a notebook along with our usernames in case we forget those as well (best write them on separate pages to be on the safe side).
We recommend you meet the following criteria:
- Change them every 60 days
- Make passwords at least 8 characters long
- Use both upper and lower case characters
- Contain a combination of alphanumeric characters and symbols
- Make them unique (only used for this particular profile/website)
- Store using a reversible encryption
A business should not simply rely on it’s users to operate in their own good sense. How many systems do you use in your workplace? When was the last time the system enforced a password change? Do you operate single sign on?
Administrators of the system should devise, implement and enforce a policy which identify the password requirements to each user who is connected to the network. These policies should set a maximum duration but also seek to devise a system which will log previous passwords so that the more casual user simply reverts back and forward between two safe passwords. Many administrators forget to ensure a system with penalties for example “three strikes and you are out rule”. Nothing focuses the mind of a user having to contact admin, wait for a response and then go through a process which could have been undertaken in seconds.
There are software solutions which can keep track of multiple passwords and increasingly there is the use of security questions to validate access to already frozen screens.
An increasing number of companies are making available password generators which will create a much stronger password for a user than the user is likely to think of. Chrome for example will auto generate a strong password that you will never have to remember, tell anyone about, or write down in a book.
Microsoft and Google have both proposed password-less solutions and are working on solutions that involve authentication options such as biometrics and tokens rather than conventional passwords.
Until that day comes, please take a moment to go through your passwords and change them up.
How about PASSword123! It works for me.