The problem with passwords is we need so many of them. Potentially one for every resource previously mentioned.In order to simplify our lives, we re-use them, and unfortunately we re-use them everywhere. This means that if your password is compromised in one location, hackers potentially can re-use them in every other place you have cloned its usage. This leads us full circle back to the potential malicious intent that can be exploited if only one place leaks that reused password.
Basic rules everyone should follow.In order to combat this problem, we need to establish some rules of engagement for passwords and ensure their strength is sufficient. First here are some basic rules everyone should follow:
- Never re-use the same password between work and home
- Never re-use the same password for financial institutions and social media
- Never re-use the same password for an administrator account at work as your standard logon
- Never tell anyone your password. If you need to share it, change it when the other person is done with using it.
- Change your passwords frequently.
- Brute force – testing a password over and over again with combinations of characters (numbers, letters, and symbols) until one matches. This is why the length and potential types of characters to be included are so important. It makes the possible number of combinations potentially that much harder to test mathematically.
- Dictionaries - testing of the password with words in the dictionary, commonly used passwords like “Passw0rd”, or the default passwords manufacturers provide like “Cisco”.
- Social engineering – testing of a password based on known attributes about them including things like their birthday, anniversary, or even child’s name.
- Length of the password – preferably over 12 characters
- Complexity of the password – must contain letters (upper and lower case), numbers, and symbols and have a minimum number of each
- Contain no repetitive characters
- Contain no human readable words, names, dates, or recognize context with the password
- Should not be reused from a previous time and date
- Should not contain sequences from a keyboard like ‘qwerty’ or ‘zxcvb’