To prove my identity, there are three ways: something I am, something I know and something I have
Multi-factor authentication helps secure accounts, adding an element of authentication with what I have (my phone in general) or what I am (fingerprint or face). However, the password remains the basis of authentication, it is the secret that only I know. This is why it is important to secure passwords.
Ineffective password policy
Multi-factor authentication provides additional security, but does not replace the password. Good security is a combination of who I am, what I have and what I know. But who has never forgotten a password? Back from holidays or on a website less used, our memory sometimes fails.
I tell them that today, I have to remember the username and password for more than fifty accounts. From my electricity provider, to all the e-commerce and social media sites, including taxes and my children’s school, without forgetting my employer, everyone requires a username and password.
Of course, they all have different constraints: minimum (or maximum) number of characters, types of characters allowed or forbidden. In the end, everyone uses the same passwords. We have the same substitution and incrementation techniques when the password policy imposes it. @ for a, ! or 2021 added at the end.
Hence, the most common passwords are 123456 and 123456789. By constraining users, password policies produce the opposite effect.
How to create different passwords on each site
It is easier to use the same password everywhere, with a slight change if it doesn’t fit in the password policy. Unfortunately, if one of the sites is hacked, your digital identity (username and password) will be compromised, and it will be tested on a large number of other sites, automatically, to access your data, or request information. money to your friends.
The easiest technique is to use the name or part of the name of the site in your “standard” password.
Hence the passwords 12345Facebook and 12345Amazon are a little above the simple 123456789, although they are still not the most secure.
The most secure passwords
Until quantum computers are with us, the computing power of computers will remain limited. The longest passwords are the most secure, even if they are not complex.
In theory, the more varied the type of characters, the longer the decryption time. But all too often, the same symbols are used, or worse, the same password on different platforms.
Multi-factor authentication, also known as modern or strong authentication, is the best solution, but it is often not an option due its complexity for many websites.
In this case, a password of 15 characters, even if it is only lowercase, is more secure as a password including a combination of 10 characters, digits and symbols. And it will be much easier to remember « Iamthestrongest » than « !am+$tr0ng ». It will take 5 years to decipher the second one and more than a thousand the first one.
To learn more about passwords and our ability to remember them, I invite you to watch this TED Talk.
What is the best password policy?
The best policy is one that makes life easier for users. By reducing password forgetting, it avoids time wasted in reset and annoyance of users.
This policy is as follows:
- No complexity rule
- 14 characters minimum
- Use blacklists
- No expiration
As we saw earlier, complexity stifles user creativity, standardizes passwords and makes them easier to guess. From 14 characters, storing the password (hash) does not require the addition of null characters,so it is much more secure. However, to avoid too simple passwords, it will be good to ban 12345, azerty and some others.
Finally, the NIST SP 800-63B Digital Identity Guidelines recommends changing passwords only if there is evidence of compromise. That is, passwords should only be changed if they have been stolen. And believe me, not having to change your password every 3 or 6 months is a real relief.
Choose a simple and secure password
You know have to think passphrase. Much easier to remember and change according to the site you use, the passphrase can also be therapeutic. In the office, you have to type your password at least 3 or 4 times per day. Use it to motivate yourself: “Iamgoingforaruntonight” or to celebrate your efforts: “Iambetteratrunning”.
You can use a sentence or combine inspiring words: “Lifeisbeautifultoday” “eatsinglaughdanse“. Finally, to diversify password it is easy with “IfindeverythingonAmazon” or “IfindeverythingonFacebook”
Given the number of sites that have had their databases hacked, it is highly likely that one of your passwords is known. Then it’s time to change and move on to pass phrases! You can also share this article with your IT department to encourage them to think about and update their password policy. By making your life easier, it is your efficiency and job satisfaction that increases!