- Create unique passwords that that use a combination of words, numbers, symbols, and both upper- and lower-case letters.
- Do not use your network username as your password.
- Don’t use easily guessed passwords, such as “password” or “user.”
- Do not choose passwords based upon details that may not be as confidential as you’d expect, such as your birth date, your Social Security or phone number, or names of family members.
- Do not use words that can be found in the dictionary. Password-cracking tools freely available online often come with dictionary lists that will try thousands of common names and passwords. If you must use dictionary words, try adding a numeral to them, as well as punctuation at the beginning or end of the word.
- Avoid using simple adjacent keyboard combinations: For example, “qwerty” and “asdzxc” and “123456” are horrible passwords and that are trivial to crack.
- Some of the easiest-to-remember passwords aren’t words at all but collections of words that form a phrase or sentence, perhaps the opening sentence to your favorite novel, or the opening line to a good joke. Complexity is nice, but length is key. It used to be the case that picking an alphanumeric password that was 8-10 characters in length was a pretty good practice. These days, it’s increasingly affordable to build extremely powerful and fast password cracking tools that can try tens of millions of possible password combinations per second. Just remember that each character you add to a password or passphrase makes it an order of magnitude harder to attack via brute-force methods.
- Avoid using the same password at multiple Web sites. It’s generally safe to re-use the same password at sites that do not store sensitive information about you provided you don’t use this same password at sites that are sensitive.
- Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.
- Whatever you do, don’t store your list of passwords on your computer in plain text. My views on the advisability of keeping a written list of your passwords have evolved over time. I tend to agree with noted security experts Bruce Schneier, when he advises users not to worry about writing down passwords. Just make sure you don’t store the information in plain sight. The most secure method for remembering your passwords is to create a list of every Web site for which you have a password and next to each one write your login name and a clue that has meaning only for you. If you forget your password, most Web sites will email it to you (assuming you can remember which email address you signed up with).
- One thing to note about password storage in Firefox: If you have not enabled and assigned a “master password” to manage your passwords in Firefox, anyone with physical access to your computer and user account can view the stored passwords in plain text, simply by clicking “Options,” and then “Show Passwords.” To protect your passwords from local prying eyes, drop a check mark into the box next to “Use Master Password” at the main Options page, and choose a strong password that only you can remember. You will then be prompted to enter the master password once per session when visiting a site that uses one of your stored passwords.
- There are several online third-party services that can help users safeguard sensitive passwords, including LastPass, DashLane, and 1Password that store passwords in the cloud and secure them all with a master password. If entrusting all your passwords to the cloud gives you the creeps, consider using a local password storage program on your computer, such as Roboform, PasswordSafe or Keepass. Again, take care to pick a strong master password, but one that you can remember; just as with the Firefox master password option, if you forget the master password you are pretty much out of luck.
Surprising New Password Guidelines from NIST.
The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. Recent studies have shown that the conventional wisdom on passwords is wrong, so you need to rethink your password strategies. These recommendations are mainly do to the fact that most people reuse passwords or change their passwords in such a way that they can easily be guessed based on passwords that have already been compromised. If you use different passwords for every web site and follow the guidelines provided by those web site, you are already practicing good password techniques.
Don't Reuse Passwords
Even if your organization has not been breached, password reuse puts it at risk. The cyber criminals know that if a password was ever used before, it’s likely to be found again. With a solid cracking dictionary, the cyber criminal never needs to resort to brute force guessing, and hashed passwords become only an inconvenience. Cracking dictionaries and rainbow tables are commonly shared among cyber criminals.
Don't Use Complex Passwords
Experts recommend removing all password complexity rules since they just create a false sense of security. A big problem for all users is remembering their passwords, so they try to make them simple and use them over and over again.
- Periodic password change requirements: There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security.
- Algorithmic complexity: Mixing upper case letters, symbols and numbers, like frequent password changes, has been shown to result in worse passwords. Conventional wisdom says that password complexity can only be a good thing. But in reality, complex password requirements can do more harm than good. Making users' lives easier, not harder, is the way to ensure stronger passwords.
Don't use password hints or knowledge-based authentication
Allowing you to leave a hint to your password or answer a personal question like “What street did you grow up on?” to reset passwords is also now not recommended by experts. With the constant dissemination of personal information on social media or through social engineering, the answers to such questions or hint prompts are easy to find.
Don't use commonly used passwords
Require every new password to be checked against a “blacklist” that can include repetitive or sequential strings, variations on the site name and the passwords hackers are most likely to guess.
Don't use compromised passwords
Make sure that your online accounts checks your user account against compromised credentials to ensure that you are not using or creating a password that is already known by cyber criminals. Screening passwords against lists of commonly used or compromised passwords is of the best ways to ratchet up the strength of your passwords. No site should be allowing the use of known, compromised credentials.
There are two benefits of this simple policy:
- It closes a glaring gap which otherwise leaves your password layer completely open to credentials exposed in third-party breaches.
- It ensures that your passwords are unique enough to not be reversible using cyber criminal cracking dictionaries.
Increase password length & simplicity
Keep passwords simple, long and memorable since longer passwords that are harder for hackers to break. We are really bad at random passwords, so the longer the better. Length matters a lot more, which is why new guidelines call for a strict 8-character minimum and even suggested moving character maximums to at least 64.
- Phrases, lowercase letters and typical English words work well. Experts no longer suggest special characters and a mix of lower and uppercase letters. If you can picture it in your head, and no one else could, that's a good password.
- Longer passwords that are harder for hackers to break.
No need for periodic password resets
Having to reset your password every few months doesn't actually work. When most people have to create new passwords regularly, they tend to make them weaker from the start. This makes people change their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S). So, if a hacker already knows your previous password, it won't be difficult for them to crack the new one.
Enable "Show password while typing"
Typos are common when entering passwords, and when characters turn into dots as soon as they're typed, it's difficult to tell where you went wrong. This can motivate you to pick shorter passwords that you're less likely to mess up, especially on sites which only allow a low number of login attempts. Choose, when alone, to have the password displayed during typing, you'll have a much better shot at putting lengthy passwords in correctly on the first try.
Cut & Paste in password fields
“Paste” functionality is now advantageous due to the widespread use of password managers. Password managers generate and store long, complex passwords that you can access through a single master password. If these lengthy, machine-generated passwords can be copied and pasted into a password field, they're not a problem for you. However, if you're faced with the prospect of memorizing and manually typing in such passwords, you may be tempted to stick with short passwords.
MFA - Multi-factor Authentication
For some accounts, passwords are not enough. To make sure you are properly protected, multi-factor authentication is the way to go. A verification that requires you to demonstrate at least two of “something you know” (like a password), “something you have” (like a phone), and “something you are” (like a fingerprint) drastically decreases the probability of a successful hack.
More about NIST: The National Institute of Standards & Technology (NIST) Digital Identity Guidelines aren't just for federal agencies. Learn how to use them to improve your security. NIST password regulations and suggestions are well-researched and well-trusted. Even if you are confident in your security, nothing can beat following standards that have been independently and painstakingly vetted.