Research & Opinion
All You Need To Know About Password and Authentication Best Practices
A password is nothing but a method of authentication, so that an application can validate that a user is truly themselves. There are 3 types of ways to authenticate a user. Knowledge based, Possession based and Inherence. These are respectively what you know, what you own and who you are. Knowledge based can be either static or dynamic. The good old password falls in the first category of knowledge-based authentication method, of the static kind. By itself, a password is a weak authenticator and in addition it can be easily stolen by phishing, malware, keyloggers, data breaches, shoulder surfing, and the classic brute force guessing attacks.
It would be interesting to note that were 24 billion stolen usernames and passwords found on the dark web as per a report from Digital Shadows Ltd. a threat intelligence company. There are 8 billion people in this world. So, just the sheer size of compromised credentials being 3 times the number of people on this earth should makes us think twice about the security of the passwords we use. The more interesting snippet to note is that when a security firm called Lookout published the top 20 most common passwords there were no surprises out there. The most commonly used passwords included a series of 1111111s, various substrings of 123456789 of various lengths and the word ‘Password’ itself! One data study showed that 123456 was used by (hold your breath) 23 million users! And, so, if you though that the most obvious but trivial password could hide in plain sight, remember that millions of other people thought so too.
ALSO READ: 12 Typologies Of Crypto Scams To Watch Out For
Of course, most people have grown up to realize not to do the most obvious. But raise your hand if you use the same password or variants of it across applications. I smile in anticipation of the number of hands that go up to that question. Now, raise your hand if you don’t change your password on a regular cadence. And finally raise your hand if your password is your child, spouse, family member or pet’s names or date of birth. Names of Gods, religious places, etc. are also super common. When my Dad told me what his password was, my response was “OK we had better change it now. And please don’t tell anyone that your daughter works in fraud.” Here, I hope to share a few practices that will help keep you, safer in this world of increasing data breaches and cyberattacks. And I will make sure that my Dad reads it too 😊
The aforementioned report by Digital Shadows also found that 49 out of the top 50 most common passwords can be cracked in under one second. But here’s the catch. If you added just one special character to the basic password with a length of 10 characters the algorithm would take 90 minutes more to crack it. Now if you added instead two special characters, it would add 2 days and 4 hours to the password cracking time. Long tale short, adding more length and complexity to the password seems like a linear addition but actually adds exponentially to the combinations and hence exponentially longer for algorithms to crack it.
ALSO READ: The Less Talked About Immigration Scam
Alright, so let’s summarize some of the key lessons we have learned here and some more simple hacks to maintain good password hygiene.
Don’ts:
- Don’t use obvious passwords like password123, number series, or alphabet series or other common strings and popular words. These are very easy for fraudsters to crack.
- Never, and I repeat for emphasis, never ever use names of family members of pets, cell numbers or any personally identifiable information (PII) in your password. This doubles the risk if your PII has already been compromised.
- Never rotate versions of the same password, these are easier to crack. For example, if you use AirIndia1 for one application do not use AirIndia2 on another application or even worse to use AirIndia_fb on Facebook etc. Moreover, do not recycle passwords, such as going back to using older ones again for the same or different application.
- Don’t save your passwords in a browser. Some people save their passwords in their browser by clicking on the “Remember me” pop up box. This is especially dangerous if you use a public computer. Moreover, you should only use your personal device for logging into personal accounts. Even so, you must also never save a list of passwords on your device. If your device were to get stolen or otherwise taken over it can put all your accounts at risk. You may choose to switch off the option of “Offer to save passwords” entirely in Chrome.
- Never share your password, except with people you truly trust. And in this case never text it to them or share it digitally. Don’t let anyone else socially engineer you into sharing your password, no matter what they say. Even your bank will never as for it!
- Do not use any recognizable or obvious keyboard patterns such as qwerty or asdfgh or repeating letter sequences.
Do’s:
- Do change your passwords regularly at least once every 90 days might be a good idea. And an easier way to do that is to set an alert to update them on a regular cadence.
- Always add a special character (or symbol, punctuation or number) or why not even two of them to your otherwise usual password. For example, here’s a trick to make it easy to remember. If your current password is mumbaicentral you can just change it to mumb@icentra@l and it is exponentially harder to crack.
- Use random or nonsense words rather than dictionary words even if they are mixed up with symbols example ‘B00k$hop’.
- Spelling words wrong can also be a great way to add complexity, so you can remember it, and yet, it can fly under the radar such as RobinHud instead of RobinHood.
- Always use unique passwords across applications, particularly for sensitive banking and payment websites and other websites that hold sensitive PII information about you.
- Make your passwords long that is one with at least 12 to 15 characters, with a combination of upper-case letters, lower case letters, numbers and symbols. This could be a sentence that you might remember easily for example “I@mG0ingt0sleep”. The longer the string the better.
- Always turn on multi factor authentication it’s always a good idea to layer your authentication with another method such as OTP, so that even if you have been phished for your credentials the fraudster will likely not also have access to your phone. Multifactor authentication can also be achieved with some authenticator apps such as Microsoft or Google Authenticator, but in my experience most websites and applications in India have only the OTP option. The good thing is unlike OTP these apps are not linked to your SIM and hence not vulnerable to SIM swap, SMS forwarding and such attacks. However, they may have limited use cases relative to OTP, today.
- Here is a good one to have up your sleeve. Utilize a password manager forexample LastPass, Dashlane, Apple’s Keychain, Google’s password manager etc. These could be dedicated password managers like the former or browser based like the latter. It may seem virtually impossible to tick all of the so many above boxes and here is where a password manager can be a handy utility. A password manager is like a vault which safely encrypts all your passwords safely and stores them in the password manager’s server/cloud that you can access with a single master password. Many offer functionalities including but not limited to password generation of long complex passwords, syncing of passwords across unlimited devices and Two factor Authentication (2FA) as well, while working across most devices and browsers. Do use a reputed one and keep your app and computer up to date. I use Google’s password manager because I find it convenient and its free. But remember even password managers are known to have been compromised like the most recent breach of LastPass. However, they maintained that even they themselves do not have access to a customer’s master password.
- Always check if your passwords are weak or have been compromised. Most people who use Google Chrome can easily do this by clicking on Settings. Go to the Privacy and Security tab. In the Passwords sub-menu if you click on the Review button, you will see the full list of compromised and weak passwords. It is recommended that you change these.
- And last but not the least always use the onscreen keyboard while entering passwords as opposed to the physical keyboard to bypass any potential keyloggers.
- Bonus tip – If you have been a recent victim of online fraud or a break in, do reset all your related passwords (in addition to running antivirus scans etc. that your bank recommends). This is to ensure there is no repeat attack on you. For example, if you changed just your banking password but not your email and / or iCloud password that could leave room for attackers to break right back in via one of the remaining credentials they still have access to from the back door, which they may have exploited in the first place.
In closing, we should always remember to treat our passwords like we would our safe keys. Following the above tips would greatly reduce your attack surface from brute force attacks, credential stuffing attacks and to some extent from keystroke logging and phishing-based attacks. But hopefully we don’t have to do all this for too long, and somewhere down the road we can live in a truly password-less world. From recent advances most notably made by Apple with the launch of their Passkey, which will eliminate the need to use a password and all you need to do is scan a QR code with your biometric authenticated Apple device in one easy step. So, it does seem like we may already be on the road to killing that password. Can’t wait!
Disclaimer – The author is not recommending any particular product, and any product mentioned here are for illustrative purposes only.
About The Author: Shweta Patel, CEO, Co-founder, Humint Solutions (Fraud & Scam Prevention Experts)