International banks, healthcare providers, and government agencies that use our MFT solution often ask about password best practices and how to ensure that confidential data remains secure. There are obvious best practices, such as never using personal information, like a pet’s name, and not reusing the same password on multiple sites. But in order to guarantee safety, it’s important to know what characteristics actually make up a good password.
There are three main characteristics that improve the security of your passwords:
- Using all available characters
Password Characters and Length
A password that uses all possible characters allowed is imperative to password security. A simple calculation can help you to understand this: assume you have a password that only uses lower case characters and has 8 total characters. The total number of possible passwords is 26 ^8, which is 208,827,064,576 (over 2 billion).
Many password cracking tools exist that can perform upwards of 300,000 password checks per second (Hashcat, for example). It would take about 8 days to try all possible combinations of this 8-character password.
Now, use all of the possible characters: upper and lower-case letters, symbols, and numbers. This gives you a total of 72 possible characters (or 72⁸), which equals over 700 trillion combinations. It would take 80 or more years for a cracking tool to try all the potential combinations. And this total rises as the number of characters that you use rises. A longer password composed of a combination of all allowed characters is the hardest to crack.
Another important factor is randomness. You should, of course, never use a password with personal information that is easy for anyone to find, such as a child’s name or a birthday. But a password that uses a simple “dictionary” word with numbers after it (for example, something like puppy99), can easily be cracked.
The Oxford Dictionary has 273,000 words. A tool can go through these words one-by-one and add numerical combinations to the beginning or end of them, and eventually, your password will be figured out. A password made up of a random combination of upper-and-lower case letters, numbers, and special characters, such as Pz27Qx9WQlm!, is nearly uncrackable.
Staying Proactive About Password Security
There is no guarantee that your network will never be breached, but there are ways to ensure that everyone has the most secure system possible, even if you manage a large number of employees/users.
One way to do this is to set up strict password policies for all employees to ensure that they are not doing things inadvertently that put your company at risk. For example, the administrator should enforce policies on password length and what type of characters must be used. Requiring a password to include both upper- and lower-case letters, at least 1 number, and at least 1 special character will add exponentially to the number of possibilities for what the password can be. And a minimum length of 8 characters also makes the password more difficult to crack.
User access is often the greatest point of vulnerability. In addition to strong passwords, it’s important to create policies and educate users that are outside of your network. Users may resort to writing passwords down, storing them in a document on a computer, or reusing the same password in multiple locations. They do this as a means of convenience — not out of malice. It is important to educate your users on the necessity of the policies, and the risks of writing down or re-using passwords. If users understand the reasons behind policies, and the risks of ignoring them, they may be more likely to take the extra steps needed.