What makes a good password?

So if I was to ask you, how do you make a good password, how would you respond?

Would you say it is a password that is unique and used only once? Is it a password that has 36 characters? Is it a password that has a mix of numbers and symbols? Is it a password that is completely random?

In short, the answer is none of the above. There is no such thing as a good password.

Over the next few minutes, I will explain what I mean. In this article, I will be explaining for the most part why passwords need to disappear from the corporate world, however, for regular readers with a keen interest in this subject matter, there is a guide at the end to help you make better password decisions in your personal life.

Where did the password come from?

Passwords have always been with us.

For thousands of years, there are records, accounts and documents proving that passwords (or more aptly put pass-phrases) have always been used, ranging from Roman checkpoints to ancient societies through to medieval guilds.

Fast forward to modern times, and the password has become a part of our daily lives. We use passwords every single day.

A name you probably do not come across often is that of Fernando Corbató.

Fernando, who sadly passed away in 2019, is credited as being the modern father of the password.

Whilst working as a researcher at MIT in the 60's, he found that the Compatible Time-Sharing System (CTSS) that all researchers had access to, shared a common mainframe as well as a single disk file. In order to keep individual files private, and to ensure users had access only to their own specific files, the concept of the password was developed.

Due to its simplicity, accessibility and short learning curve, passwords became the norm for IT security. Unfortunately, the simplicity of the password would be its downfall.

We move to today, and we use passwords for everything in our personal and work lives: operating systems, phones, tablets, Wi-Fi routers, SaaS (Software-as-a-Service) apps, social media, banking, e-mail, databases, websites, ATM's, door pins and even gaming consoles.

They are everywhere, and it is not just the passwords we tap into our screens for the above services, it is passwords we give over the phone.

I personally have to give a verbal password to my mobile carrier if I speak to them over the phone (which is different to the password I use to log into the online portal). I have to give a verbal password to my bank (again different to the online password), and even have a verbal password for the water company.

It is easy to get bogged down in the sheer number of passwords we have to manage.

The State of Passwords

Before we progress any further if you have any of these as your password, please, please, please change it now!

• 123456
• 123456789
• qwerty
• qwertyuiop
• password
• password1
• 1password
• 111111

It is crazy to think that we now enter the roaring 20's, that these are the most common passwords in play today.

It is crazy to think that passwords that feature pet names, loved one's names, birthdays and even the model of our cars are still used and used liberally.

But it is also easy to understand why. As I mentioned before, passwords are everywhere, and especially in our cyber lives, we need passwords for everything.

I asked around 15 friends and family members how many things they need passwords for, and the usual answer after some consideration was around 20-30.

I recently did a personal audit of all the online and cyber services (personal only, none work-based) I use passwords for and the count was over 300 passwords!

Over 300 personal passwords in play.

And I am sure I still missed many.

This number will not be too different for you either. Adobe, AirBnB, Aldi, Amazon, America Test Kitchen, Anglia Revenue, Anglian Water, AO, Apcoa, AppleID, Argos, Asda, Asos, AXA, BBC, Beer52, Bet365, Bethesda, Boots, Brickset, Brightpay, BSL, CD Keys, Certas Energy, Clear Score, CoffeeSupplies Direct, Compare the Market, Craft Gin Club, Currys PC World, Crowdcube alone just a select few I picked up that make up the services that start with A, B or C.

What does this show you except that I like gaming, beer, gin, Lego, coffee and the occasional wager on the footie? There are literally hundreds of apps, websites and services we use passwords for that we do not think about.

There are way too many passwords in our lives to manage.

This causes 3 major problems:

1. Passwords are re-used, repeated and shared across multiple different platforms
2. Passwords are very simple and easy to guess
3. People put too much trust in their passwords and do not follow good hygiene rules (changing passwords to critical services regularly for example)

How passwords make you vulnerable

So, we have learnt we use 100's of online and offline services that require a password. We know it is hard to manage 100's of passwords and it has led to some major problems.

But you may be sitting there thinking, "how are those problems?".

The most common is a data breach. There is a strong chance at least one or two online services you use usernames and passwords for has been breached, and your data stolen.

If you want to check for yourself go to haveibeenpwned and put your email in. It will scan all known data breaches and let you know what data breaches your data has been involved in.

Personally, my data has been involved in breaches from My Fitness Pal/Under Armor, Jefit, Facebook, Zynga (the makers behind Words with Friends, Zynga Poker and Farmville), Neopets (I have had my email for a very long time... stop judging), and Promo.

Now, when there is a big data breach like the ones above, passwords are commonly stolen and put on the dark web. Would-be hackers and bad actors then take these passwords (and associated email/user names) and start trying to get into services like Hotmail, Google/Gmail, Facebook and others, as the chances are, you are using the same passwords across all of these services.

Suddenly you could find your crown jewels penetrated and out of your control.

The other thing that has been circulating around too, particularly on sites like Facebook and Instagram is the "name" generator.

I recently downloaded and stole this image found on multiple posts on LinkedIn recently:

Do you remember when I said people will have simple and easy to guess passwords? That is usually because they include a spouses name, date of birth, pet name, child's date of birth or whatnot.

Additionally, people usually choose basic "recovery questions" when setting their accounts up too, and tools like this on Facebook and Instagram, are more commonly being used to hack your accounts.

Passwords at Work

Much like in our personal lives, we use passwords at work regularly. We log into our work computers (at home or the office), our work phones and even online apps and services like Microsoft 365, Slack, Dropbox, Box or OneLogin.

The same as our personal lives, it becomes impossible to remember all the passwords we need for work.

You start seeing users writing their passwords in the back of a notebook, or on post-it notes.

This opens you up to a whole range of major vulnerabilities, resulting in potential financial loss, reputational loss or even closure of the business if a breach occurs.

Additionally, many organisations that opt-in for 2FA as standard feel this adds enough security to their user's accounts and access, but in reality, doesn't offer much protection if your company or users are being targeted by social engineering, cookie hijacking or man-in-the-middle attacks, it won't do you much good.

How can businesses secure users and passwords?

There are many options available to businesses who currently use passwords, and see the vulnerabilities behind them, but it requires a major change into how your organisation views the humble password.

The simplest way, which offers good levels of protection and security is to adopt a Single-Sign-On platform (SSO), that utilises Security Assertion Markup Language (SAML), OAuth, and Multi-Factor Authentication (MFA).

Phew... that is a lot of acronyms. Here is a quick rundown of what each one means:

SSO - Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.

SAML - Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions.

OAuth - OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords

MFA - Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.

So you are probably thinking, what tool or service allows me to do this? The one I would always recommend is OneLogin.

OneLogin, an innovator in enterprise identity management, provides the industry’s leading SaaS solution for managing internal and external users across all devices and applications.

OneLogin’s cloud identity management platform provides more than 2,000 customers with secure single sign-on, multi-factor authentication, integration with common directory infrastructures such as Active Directory and LDAP, user provisioning and more.

How does an SSO help protect my business?

You might be thinking that having one log-in for every SaaS, online and on-prem service you use would make you more vulnerable, but, there are a couple of considerations to take in mind when using a good SSO platform:

• Policy-based MFA, utilising security questions, verify mobile app push notifications, SMS, Voice MFA, adaptive authentications, biometrics, contextual locations, device context (new device, new IP, managed/unmanaged etc) all can be used in tandem to create your organisation's threat matrix.
• Fully auditable reports, with customizable directories for user groups and devices, attributable mapping and easy to manage SCIM help your IT teams stay one step ahead.
• Easy to use for users. You want easy to access desktop, browser and mobile apps, with multi-language support and unlimited integrations to your LDAP/AD. You may even want user self serve password reset tools too!

Adopting an SSO like Onelogin is just the first easy step to achieving a passwordless environment. If you are looking at adopting zero-trust principles also, this is also a great step to take.

Alternative Solutions for Businesses

Device-Based Authentication

For organisations that want to eliminate passwords and reduce the risk of data breaches, they could explore using the device as a tool for access.

Using something like Ivanti MobileIron Zero Sign-on allows passwordless MFA for both cloud and on-prem services. It also includes an MFA application with support for push notifications, one time PIN and QR code scans.

Password Manager

In an ideal world, you would remove passwords altogether. Some organisations do not want to explore SSO's or MFA applications, so a tool like a password manager could be game-changing.

The ability to only ever need to memorize one password, with all your other passwords and important information protected by your Master Password, which only you know.

A tool like 1Password is my personal recommendation for this kind of functionality... but let me be clear, you still want to be moving towards passwordless.

How to have better password hygiene if you still need to use passwords (or if you use passwords in your personal life)

Passwords, unfortunately, are here to stay for a little longer, and there are many steps you can take in your to reduce the risk of your accounts being hacked or breached.

Now as we discovered, there is no such thing as a secure password, and tools like 2FA are not perfect, but if you are robust enough with how you use passwords and 2FA, you can be safer than you are now when it comes to passwords.

There are some simple rules to follow:

Never re-use a password, ever, like never ever do it.

Reusing passwords is dangerous, and if one service is breached, all your other services can be breached that use the same passwords. At the very very least, you must make sure your email has the most unique and strongest password, as if a hacker gets access to your email, it is all over. They can easily go and request password resets to all of your services.

Use a mix of letters, numbers, symbols, capital letters and spaces, randomised.

Random is good with passwords, and using a mix of characters is even better. Check out this below graphic from @coders.bro on Instagram:

Now, this is primarily talking about brute force attacks on your passwords, not social engineering or data breaches, so there is a pinch of salt to be had here.

Nevertheless, a good password with a strong mix of characters is harder to guess and brute force your way into.

If you are wanting a memorable password, pick 3 random things in the world (spoon, building, tree for example) to create your password.

If you want to test this for yourself, pick three items from your kitchen then go to your loved one, colleague or friend. Ask them to guess those three items (in the right order). Even give them multiple guesses. Chances are (unless they are insanely lucky or you happen to be holding those three items in your hand) they will never get it right, even if they had a thousand guesses.

It works nicely, and you can augment that to be more secure by adding numbers and symbols in between each word to create your password.

Turn on 2 Factor Authentication, on everything you can.

2FA or 2 Factor Authentication is when you log into something, and you get a text, email or pop up in your authentication app with a code (usually 6 numbers) that you then need to put into your log-in to get into your service.

It is a secondary layer of security that transcends past the password. Now, 2FA is not the perfect cyber defence, as 2FA codes can still be stolen by more sophisticated attacks, but it is better than nothing, and I highly recommend you turn this on for everything.

Popular services like Amazon, Facebook, Google, Hotmail, Instagram, LinkedIn, Microsoft, Paypal, Snapchat, Twitter and many many more all have 2FA available, and there are easy guides on how to set this up on each website.

Use a Password Manager like 1Password or LastPass. Use your Password Manager to manage your 2FA (rather than text SMS).

I have never used LastPass so can not comment on it, but 1Password is brilliant. It has a rather steep learning curve but once you are in and using it, it becomes your go-to application for managing passwords.

It can also handle 2FA easily too (so you do not need to worry about finding your phone for the text message), works seamlessly on iOS, Android, Mac and Windows with cleaver auto-fill and auto-password generation tools, and so far to date, I have over 300 accounts saved in my 1Password Vaults.

Keep all devices and software up to date.

This should go without question anyway, but it is important you keep your devices and software fully up to date. This included browsers where you may be saving your passwords.

Conclusion

The password is not dead yet, but it is vulnerable. Businesses need to take action today to remove passwords wherever possible. The risk is too great. Regular users need to be smarter when it comes to protecting their personal data with passwords too.

If you have any questions on anything I have discussed today, or if your organisations want to demo, trial or talk about OneLogin or MobileIron Zero-Sign-On in more detail please feel free to reach out.

I always welcome conversations.