When you are stuck with password-only, single-factor authentication, there are steps you can take to minimize your risk and improve your password security.
1. DO NOT RE-USE PASSWORDS!
Never, ever, ever use the same password twice.
Not on the same system and not on different systems. Think of passwords as a consumable item, like the windshield wipers on your car. Once they are used and replaced, you never re-use the old ones again – ever!
When you re-use a password, there is the potential that the old use of that password has been compromised in the intervening timeframe. Now that you are using it again (or using it someplace else), hackers have a higher chance of discovering that you are re-using your old password. This might be due to the hash being the same, or they happen to be using the dictionary list with your old password in it.
2. Stop trying to be clever.
Hackers have too many examples of clever in their password database. Just about every trick or technique you can come up with on your own – based on your keyboard or mental calisthenics — is already known and often built into password cracking tools.
You need to start basing your passwords on randomness. (See more below.)
3. Use a tool.
Consider using a secure password management tool (aka credential manager or password vault), if not specifically prohibited by your organization.
Even if you are not allowed to use one at work for company systems, at least use one for all private access to internet sites and services.
You need a password management tool that encrypts your password database and offers random password generation. My personal preference is Lastpass, but Dashlane, 1Password, NordPass, KeePass, and Bitwarden are also great options.
Some of the password storage tools are tied into a cloud service that can give you access to your securely stored credentials from any web terminal or via a smartphone app. The most important aspect of a secure password storage tool is that you are the only and sole possessor of the master unlock code to your credential archive.
Having your credential archive stored in the cloud, as long as it is encrypted and even the hosting company and software vendor are unable to open your personal password locker, can be considered safe.
If you choose to use a tool, be sure to set the master to unlock code to as complex a password as you can muster. Again, this should be as random as possible, but you will need to MEMORIZE this one (see step 4).
You will then let the tool generate truly random passwords for all other needs, and let the tool keep track of them for you. I use a credential manager to store hundreds of passwords on online sites and services. All of my stored passwords are maximally long (based on site parameters) and random. The only passwords I know are the ones to gain access to my computer and the one to open my password vault.
4. If not using a software tool, consider 3 alternatives
Use a Passphrase
A passphrase is a multi-word password. Instead of picking a single word or a single string of characters as a password, pick three to six words and use them as a collective. You can put a space between each or a symbol. Try to avoid picking words that go together in any way. You also want to intentionally stay away from crafting understandable sentences.
Instead, pick words that might tell you a mental story so you have a chance of remembering it. For example: "purple balloon underground flights intentionally upsetting.”
This is an exceptionally long password and even as lowercase-only would be improbable for a hacker to figure it out using traditional password cracking techniques.
Consider a Random Password Generator
There are computer software tools and smartphone apps you could use to generate your passwords. I prefer an online service called "Perfect Passwords" at https://www.grc.com/passwords.htm, which is "GRC's Ultra High-Security Password Generator.”
This site generates random 64/63 character passwords in Hex, American Standard Code for Information Interchange (ASCII), and alpha-numeric. You can choose to use all or just part of one of these random passwords. Plus, each time you refresh the page, a whole new set will be generated.
By the way, Steve Gibson (the man behind GRC – Gibson Research Corp) does not track what is generated on this page nor who uses it. The main problem you have with a random password generator is remembering it. See my suggestion in step 5.
Paper Is a Tried-and-True Alternative — with Exceptions
A paper-based tool is a means to generate random passwords on the fly that you can re-create when needed. But do so in a way that cannot be deciphered or predicted by others.
I've seen several attempts at this, but the only one I have seen survive real-world use and intensive security community scrutiny is another brainchild of Steve Gibson called "Off The Grid" (https://www.grc.com/offthegrid.htm).
This is a page that generates a random 26 by 26 Latin square. A Latin square is a special square array where each value (i.e., letters, numbers, and symbols) appears only once in any row or column. (Sodoku is a form of a Latin square.)
To use "Off The Grid" for passwords, you generate and print off a random Latin Square. Then using your printed matrix, you generate passwords – passwords that are based on random values but that you can re-produce by repeating your generation method and maintaining possession of your printed Latin square.
Please see Steve's excellent documentation, the feedback, and even listen to the podcast discussing this tool to gain a fuller understanding of this technique and its benefits. If you are unable to use a software password tool at work, a paper-based tool could be the best option.
5. If you write it down, write it down securely.
If you have passwords that are so long and complicated that you are unable to remember them, then you may have to write them down.
We all know the rule "never write down your password." However, that rule focuses on writing your password down in a blatantly obvious form and then storing it in a potentially easily discoverable location.
Always follow your company policy on this, but consider discussing the following ideas with your security manager as potential exceptions to the "do not write" rule.
If you decide to write down your password, follow these tips:
- Don't ever write down a password in such a way that it seems like it is a password. Such as don't write the word "password" or "P:" in front of it.
- Don't ever keep or leave the written password near the computer or on the same desk or in the same workspace as the computer.
- Always write down passwords in code. Consider writing down in alternating shifting patterns. Such as if your real password is "PassWOrd12" then write down "pAsSwOrD1@" where I inverted the "shifting" or case of each letter as I wrote it on the paper. You could also write in reverse order, such as "21drOWssaP". You could write inside-out, meaning write down the first letter, then put the second letter in front of the first, then the third letter behind the first, then the fourth in front of the second, etc., such as "2dOsaPsWr1.” You can use a number of different patterns or encoding techniques. If you can make sense of it, you might even try combining two or three techniques.
- Never write down a whole password in one location. In spite of my previous examples, try not to write down the whole password in one spot. Instead, break up your password into 3 or more sections and store each section someplace unique. Maybe one section is on the back of your insurance card in your wallet, another on the back of a house key, a third inside the case of your cell phone, and a fourth on the back of the eighth from the last page in the small notebook you carry in your backpack or purse. This means that even if someone stumbles across one of the sections of your password, they will not know the whole password or what order the sections go in.
- Consider dropping letters. Instead of recording every letter in your written version, consider always dropping every third letter or the last two letters. You will have to be sure you can remember what you are not writing down, but it is another option.
- Consider having a standard "padding" phrase. Using the previous suggestions in the section, record the main portion of your password, but always add in padding material. You could either define your padding material as part of the real password, such as "B1u79e$,” maybe in the middle or at the end of every password. Or you can include it only in the written version of your passwords, but you must remember to skip the padding material when you type in the password.
There may be even more techniques for writing down passwords in a secure manner than these few I've presented. With a little practice and research, you come up with other suggestions.
However, ALWAYS review the concept or idea with your security manager before using these writing down techniques at work.
6. Stop replacing your password on a schedule.
If you have a secure password, there is no need to change it periodically. If you have a weak, guessable, or easily crackable password, you should change it to a secure password. Changing passwords just because time has passed does not benefit the typical user. In fact, by making users change their passwords at a fixed time interval, they are encouraged to pick another new easy-to-remember password. Each time this occurs, the next password is often simpler and easier than the previous, which defeats the whole purpose of password changing in the first place. If you are forced to change your password by company or service policy, then follow that policy. But if you are not forced, keeping a truly secure password is a good practice. The only exception to this is if the site, network, or service is compromised and user account credentials were accessed by a hacker. Then, it would be a good idea to change your password.
This concept is supported by the National Institute of Standards and Technology (NIST). In June 2017, NIST updated the “Digital Identity Guidelines - Authentication and Lifecycle Management” document (NIST SP 800-63B) to include the following statement:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
If that is good enough for the US government, then it probably is a good idea for your organization as well.
7. Use all possible character types supported by the system.
In most cases, lowercase, uppercase, and numbers are universally supported as valid password characters. If you can use symbols, higher-order ASCII characters, or even foreign language characters, do so.
The wider the potential character set that you choose from, the more potential complexity a hacker must overcome in order to crack your password.
Most password cracks focus on the low-hanging fruit. There is almost always someone within your organization who has just barely qualified their passwords based on construction rules but still ended up with an easy-to-remember password. You want to avoid being low-hanging fruit.
8. Make it longer.
Length is the primary factor in a password’s strength. Complexity is a close second. If you only used lowercase letters, then a password of 20 or more characters would be a fairly secure password.
Using a long password that is also character-complex is even more so. Always try to maximize the length of your selected password based on the length limitations of the site or service. If you are limited to passwords under 12 characters, be sure to inquire of the site owners and managers why there is a length restriction at all, much less such a small one.
If a site is actually hashing your password, it does not matter how many characters you type in, as a hash produces a fixed-length representation of your imputed password. If a site is using a hashing mechanism that produces a 256-bit hash (such as SHA-256), it doesn't matter whether you type in 8 or 16 or 1000 characters for your password as the hash of that password would still be 256 bits.
9. Go beyond the minimum requirements.
As discussed earlier, hackers understand that human nature often leans toward laziness, and barely complying with construction rules is a common characteristic of compromised passwords. Try to go beyond the minimum requirements whenever possible. Don’t settle for the default of minimal compliance.
If you are required to have two of a character type, try using four or five. If you are required to have at least 10 characters, why not have 20 or 30? If you are asked to define a password, why not construct a lengthy multi-word passphrase?
10. Go random.
You are human.
Your cleverness and ability to craft memorable passwords is not unique. In fact, it is very common, typical, and predictable.
Don't try to invent a new clever trick to create a pattern or construct a memorable password. Assume anything you can think of the hackers have already seen thousands of others do, and they can recognize it when you try.
Your only hope is to change the rules of the game and that is to use random passwords rather than memorable passwords. You could use story dice, regular dice, or Dungeons & Dragons dice to roll for random values.
You could hang a newspaper on a dartboard or drop pennies on a magazine open on the floor to select random words. You could type in any search term into a search engine, then pull the fifth word from the first six results.
And, yes, because random passwords are very hard to remember, you will need a security software tool, a secure means of writing them down, or a secure means of generating them.
Time to Take Action
Easy-to-remember passwords are no longer considered a secure form of authentication. In fact, it has probably been decades since single-password authentication was even potentially a good security idea.
You should consider any static password that you can remember as vulnerable. Even static passwords that are random are still vulnerable to some extent. It just takes much longer for a password-cracking attack to be successful, and the likelihood of that success is inversely proportional to the length of the password. There is always a chance; you are just reducing that chance by having a long and random password.
Do the best that you can within the dictated rules and company security policies, but try to implement as many of my suggestions as possible whenever you are limited to single-factor, password-only authentication.
It is also up to you to be the squeaky wheel and inform others about the insecurity of passwords and to encourage site owners and managers to provide more secure multi-factor authentication options.
The best way to solve the problem of relying on password-only, single-factor authentication is to migrate into a multi-factor authentication (MFA) system. If this is offered by your company or any online service, be sure to take advantage of it.
Today, this already includes many well-known online sites and services. To find out quickly which sites you use regularly that have multi-factor options, you can view the site 2fa.directory (This was originally twofactorauth.org, but that domain name has been taken over by another entity). If a site or service that you use does not already offer a multi-factor authentication option, send the site owners/managers a request to improve their security by adding in multi-factor authentication.
Now that you know a little more about password authentication, you should recognize that this is just a starting point of obtaining security knowledge. There are many other important security concerns that you need to be aware of. Because only with knowledge can you make a change for the better.
Everyone has security responsibilities, both for themselves and for their employer. That responsibility starts with knowing more and seeking out means to gain more knowledge. One source of additional knowledge is the educational materials made available from Global Knowledge. Global Knowledge offers a wealth of online resources such as this article and other online materials.
Global Knowledge is also a world leader in training, both in-person on-site instructional courses, as well as live online virtual classes and pre-recorded at-your-own-pace lessons. Find out more about the educational opportunities online.