Password Best Practices

Password Myths

• Should you regularly change your password(s)?

  No - 

  Regularly changing your password simply doesn't do a whole lot to protect your security, while majorly increasing the likelihood that you will forget your password.  The most insecure password is the one you write down on a post-it note!

  Learn More

• Are longer passwords more secure than shorter ones?

  Yes - 

  Length and randomness are what make a password strong.  While a short complex password might be fairly secure, a longer password - even if it's less complicated - usually increases the password complexity exponentially!

  Learn More

• Are viruses and malware the biggest threat to my personal information?

  No - 

  The biggest risk to your personal information comes from social engineering, where malicious actors exploit your humanity, not your technology.  The most common form of social engineering is phishing, but there are lots of ways socially engineer.  

  Learn More

• Are password managers safe?

  Yes, mostly - 

  Most password managers provide an encrypted, safe way of storing thousands of passwords, making them easily accessible for you, but uncrackable to others.  However, if the password management company has a security breach, or if you forget your primary password, there are risks.  

  Despite these risks, the ITS Help Desk highly encourages you to use a password manager!  

  Learn More

• Is it safe to save my password in my web browser?

  Yes, mostly - 

  Modern browsers function very similarly to password managers.  They use a central, primary password to protect all of your other passwords.  Plus, they provide a convenient way to autofill your passwords in your browser.  

  However, if someone gets access to your primary password, they have access to ALL your passwords.  And, if someone gets access to your unlocked computer, all your accounts are at risk.  

  Learn More

Tips for Strong Password Security

• Tip 1
• Tip 2
• Tip 3
• Tip 4

More Information

• Changing your Password

  For years, well-meaning security best practices suggested changing your passwords every 6 months or even every 90 days.  However, in recent years, industry recommendations have moved away from this recommendation.  Here's why.  

  Why Change Passwords?

  Frequent password changes protect against a very specific circumstance.  This security strategy assumes it is only a matter of time until the password is cracked.  That means both of the following must be true:

  1. The hacker must be able to try millions of passwords without being locked out, AND
  2. The password must be unencrypted/very simple, OR the hacker must have a lot of time and resources

  However, modern technology has made these specific circumstances very rare.  Almost all systems automatically lock a user out after a small number of attempts (usually 3-10).  That means the hacker can't try millions of options unless they can bypass the lockout.  

  If the hacker can somehow bypass the lockout system, they can access your password.  However, as long as your password is encrypted and complex, it is almost uncrackable.  Even medium-complexity passwords can take months or years of nonstop computing to crack. 

  For the vast majority of situations, cracking a medium to complex password costs more than a hacker stands to profit.  Most hackers are seeking the lowest hanging fruit - low effort, but high reward situations!

  What's Different Now?

  From a technical standpoint, frequent password changes don't increase your security.  They do, however, increase the likelihood that you will forget your password! 

  By forcing users to retrain their memory pathways every 3-6 months, users are almost guaranteed to write their password down.  The most insecure password is the one written on a post-it note in your office.  Rather than run this risk, it is far more beneficial to set a complex password and leave it indefinitely, unless there is evidence it was compromised. 

  Special Exceptions

  There are some exceptions to these circumstances.  In industries where the payoff for cracking a complex password is extremely high or non-monetary - for example, banking, politics, or military.

  In these situations, a malicious actor may spend millions of dollars in resources over years or decades to manually exploit a leaked password.  That's why in some highly confidential industries, frequent password changes are still recommended.  

  What's Right for Me?

  Frequently resetting your password is not a security detriment if you are sure you will never forget it.  Feel free to reset your password as frequently as you like, in this case!  

  However, if you (like the majority of people) are likely to forget your password, assess whether your password provides someone access to information that is worth extremely high levels of money and time investment.  If the answer is yes, it's recommended that you frequently change your password.  However, for the majority of individuals, this is not the case.  Therefore, frequent password changes aren't necessary. 

• Password Math

  Password security is based around how easy it is for someone to guess your password.  This guessing is influenced by character complexity, dictionaries, and hashing. 

  Character Complexity

  Everyone has experienced having to pick special characters for your password.  That's because with every additional character in a password, your password becomes more difficult to guess. 

  For example for a password that is 6 letters long, lowercase only, there are 308,915,776 potential password permutations (26 possible letters, 6 character password: 26^6).  If you add in uppercase letters, there are 19,770,609,664 permutations.  

  Adding numbers and special characters increases the complexity, but by making the password longer, you increase password complexity at an exponential rate!  Therefore, increasing password length is mathematically far more effective.  

  Dictionaries

  An 8 character password has about 720 trillion permutations.  However, people aren't random when we select passwords.  A huge majority of 8-character passwords are simply "password" and can be cracked immediately. 

  Lists of the most common passwords are often integrated into the algorithms trying to guess passwords.  These are called "dictionary lists;" they essentially exploit human tendencies for heuristics, and allow simple passwords to be easily guessed.  These lists can even contain common patters (for example, 2/4/6 digit numbers that to correlate to dates, or 10 digit numbers that correlate to phone numbers).  

  Dictionary lists mean that even though a 24-character password has an absurd number of permutations (3.7 x 10^44), "passwordpasswordpassword" can be cracked in minutes.  

  The solution for dictionary lists is randomization.  By using random characters, or better yet, strings of random and unrelated words, dictionary lists are rendered useless.  

  Hashing and Salting

  When a password is stored in a secure server, it is usually hashed.  That means the password is sent through a one-way algorithm, and turned into a complex string of random characters.  Often, this string is further complexified by appending a unique string to the hash.  This string is derived from something else, like your username or email address, and it's called a salt (doesn't that sound delicious?).  

  Unlikely encryption, a salted-hash cannot be reversed if you have the algorithm - you must have (or guess) the password AND the salt.

  However, even if a password is hashed, it can still be cracked if it is a simple or common password.  Common passwords like "password" or "letmein" have widely published hashes online that are used to exploit users.  

  So What Should I Do?

  The best passwords are long, random, and memorable.  

  Using a password generator like this one, you can create a random string of words and special characters.  These passwords are more secure from Dictionary attacks, and they have immense complexity because of their length.  However, since they use real words that have meaning, they can be easily memorized.

  For example, take these two 35-character passwords. 

  • Toward-Enclosure-Wetlands-Royalty-7
  • YehzrdublWk846NcgeV-eYlsIMk1KbNli0T

  Both passwords use only numbers, letters, and hyphens, and are 35 characters long.  Since completely randomized words were used, both passwords are equal in complexity.  However, one is relatively easy to memorize, and one is basically impossible to remember. 

  One important caveat to this example is that these words are randomized by a computer.  Humans are extremely bad at coming up with random words (because we tie concepts together).  Using pseudo-random words puts your password at higher risk of being cracked by a Dictionary attack. 

• Social Engineering

  Social engineering is exploitation of human tendencies and social norms to bypass technology security.  Although exploitative technology certainly exists, by far the biggest threat to the average users' security is themselves.  

  What is Social Engineering?

  The easiest way to think of Social Engineering is to imagine a heist movie, like Ocean's Eleven.  In a heist movie, often times, the group planning the heist needs to conduct some sort of espionage to gain information before they can conduct their heist.  Often, this looks like wearing a disguise and fooling the organization into trusting you with access to sensitive information. 

  In this circumstance, it is not the organization's security infrastructure that is being exploited, but the people who work in that infrastructure.  In the same way, Social Engineering is a tactic by which hackers target users by gaining their trust and stealing information. 

  What about normal hacking?

  IT security has come a very long way since the 90s.  As a result, most security protocols that protect your personal information cannot be bypassed or exploited simply through technology.  In almost all hacking circumstances, the hacker needs some sort of private information - your password, or access to your computer - to get past security. 

  There are some exceptions to this generalization.  For example, the Heartbleed bug from 2014 did not require any user exploitation to bypass security.  However, these circumstances are much rarer.  

  What are common forms of Social Engineering?

  The most common form of Social Engineering is email phishing.  In a phishing email, someone says that are a bank or a social media company, and then harvests your username and password for their own use.  It's not as flashy as a disguise, but it's extremely effective. 

  There are other methods of social engineering that occur as well.  Sometimes, a hacker will disguise themselves as a construction worker to gain access to a building, or as an HVAC specialist to access a secure room.  Another common social engineering tactic is for a malicious actor to stand in front of a building swiping a key card that won't work in hopes of getting a real employee to let them in. 

  How do I know if something is Social Engineering?

  The most effective way of battling social engineering is by verifying identity.  When you receive an inquiry - in person or virtually - for access to something secure, like a password or server room, ask yourself the following questions:

  1. Do I know this person?
  2. If I do, does this seem like their type of behavior?
  3. If I don't, can I verify their identity?
  4. Was I expecting this request?

  It's also important to acknowledge that Social Engineering weaponizes your own politeness against you.  Many people choose not to confront a stranger carrying a ladder in their office because that person looks like they belong, and confrontation feels rude or inappropriate.  Social Engineers rely on this discomfort for success. 

  Tips for verifying identity

  Verifying identity can be one of the hardest parts about social engineering.  Here are some suggestions on effective ways to verify someone's identity, and what to do if you can't verify someone's identity:

  1. If you are contacted by phone, look up that company's official website and call them back on their published phone number.  Make sure you are using the company's actual website!
     
     
  2. If an email is from someone you know, but seems uncharacteristic (for example, your boss asking you to purchase gift cards), contact that person via a different method of communication (like by phone or in person)
     
     
  3. If someone unfamiliar is asking to access a physical room with secure information, don't be afraid to contact your supervisor, or to call Public Safety's non-emergency line for verification
     
     
  4. Always have suspicions if someone is asking for major personally identifying information, like credit cards or your Social Security Number
• Password Managers

  Password managers are software applications that store your passwords in an encrypted file, locked with a primary password.  They allow you to look up your password for a given application, rather than memorizing it. 

  Are Password Managers safe?

  Password managers are generally safe.  Most password managers use a primary password to encrypt the file that stores your passwords.  That means your passwords are completely safe, as long as...

  • ...you remember your primary password, and
  • ...your primary password is not stolen

  What are the risks of a Password Manager?

  Here are some of the risks of using a password manager:

  • Your passwords are secured by a single, primary password.  If that password is lost or stolen, all your passwords are impacted
    
    
  • Many password managers have an autofill option.  If this option is active, and your computer is stolen, a malicious actor can access your accounts without needing to know the password
    
    
  • As with all 3rd party institutions, you are trusting the vendor to patch security bugs and use modern, secure technology

  What are the benefits of a Password Manager?

  Here are some of the benefits of using a password manager:

  • Password managers are immensely more secure than writing your password in a notebook or document.  If you are currently writing down your passwords anywhere, we highly recommend migrating to a password manager
    
    
  • Autofill functions save a lot of time.  You can set up your browser to automatically fill in passwords for accounts, all while storing them in the password manager
    
    
  • Most password managers have a phone app, so you can access your passwords when not at a computer as well
    
    
  • Most password managers allow for randomized, secure password creation.  You can create completely random passwords for all your accounts, and never have to memorize them - just use the app to copy/paste or autofill when necessary

  Is it safe to save passwords in my browser?

  Generally, yes - saving passwords in your browser is usually okay.  Many modern browsers function similarly to a password manager when configured correctly.  Safari uses your AppleID to protect your passwords, and Google Chrome uses your Google login.  However, keep in mind the following points:

  • Some web browsers store your passwords in the browsing cache.  That means if you clear the browsing cache, you will lose those passwords
    
    
  • Most web browsers don't ask you to verify your primary password before autofilling.  That means, if your computer is stolen and it is not locked with a password, all of your passwords and accounts are at risk
    
    
  • Web browsers generally aren't investing the same technology in security and encryption as Password Managers, so you will likely find they have less security

  What Password Managers does ITS recommend?

  ITS doesn't have an official password manager recommendation, because no password manager is officially supported by the university at this current time.  That means we cannot promise it will work perfectly, and may not be able to help set it up fully.

  However, here are some password managers that we have experience with below:

  • Enpass
  • LastPass
  • DashLane
  • 1Password
  • SafeInCloud

  There are many other password managers out there as well, most of which have a one-time or recurring cost.  Please check reviews and do research before selecting a Password Manager.