December 9 2019 - Last month, we received an email at our email@example.com address offering to help us with our password strength. We get lots of emails, some spam, some not, but most require a little investigation before we decide to engage or not. Any guesses as to whether this email was benign or malicious? It was interesting enough that I plan to talk about it in the next blog post. But regardless of their intentions, it did get me thinking about password security, and I thought I would post a few friendly reminders
First of all, even though you want to make sure that your password is sufficiently strong, be careful with any online password strength meter. I’m not talking about the password strength meters that show up when you are signing up for a service – most of those are client side (meaning your password isn’t sent over the network to be checked) and just give you an indication based on some well-known rules. I’m talking about the ones that are more like “send us your password and we will score it for you”… these are more likely to be password collection schemes.
Next, many password best practices advise replacing letters with symbols based on some mapping. This is typically called leet speak, originally created to escape keyword searches; i.e. “leet” -> “1337”. Although it is good to include symbols, many password cracking tools know these mappings so it doesn’t make it any more difficult for them to guess your password. Using p@ssword instead of password provides a false sense of security. Here are a few quick tips that increase password security:
As it turns out, a good password manager can help with all three of these. My personal favorite is Dashlane, but there are other reputable password managers and you should pick whichever one you like best, so you’ll be more likely to use it! The point is to reduce the reuse of the same password by storing your various passwords somewhere secure.
Whichever one you choose, be sure to pick a password manager that has a password generator as well. These password generators will typically generate a password with a certain amount of entropy based on guidelines you give (like number of characters, use of symbols, etc.).
To sum up: good randomness, minimal reuse, and sufficient length are best-practice for passwords. Remember, a trusted password manager can help you keep track of your strong passwords!