This may or may not surprise you, but a significant number of people either don’t know how to choose a strong password or decide not to because they don’t think it’s worth the hassle. It’s true! As part of an internal penetration test, after we get domain administrator permissions, we harvest all of the hashed passwords for the domain and attempt to crack them in order to show the organization the breadth of the password problems they face. In the last three tests we performed, we were able to crack over 70% of their employees’ passwords within a few days. This issue is prevalent across almost every organization and in every vertical we work with, leading me to believe that people honestly do not know how to choose a strong password. In this blog, we will try to fix that!
How to Choose a Weak Password
Before I can explain how to choose a strong password, let’s quickly review what makes up a bad password. I am not going to spend too much time on this, as this blog is dedicated to it, but let’s cover the basics. In general a bad password will meet one or more of the following:
- Be Too Short (Less than 14 characters)
- Be Based on a Dictionary Word or Name (Sarah123!)
- Be Too Hard to Remember (so it is written down)
- Based on a Keyboard Pattern
- Is Shared Between Multiple Websites (email, Facebook, etc.)
How to Choose a Strong Password
OK, now that we have an understanding of what makes a bad password, we can focus on how to choose a strong password. Just because it is 14 characters long does not mean it has to be hard to remember. Let’s look at two ways to create strong passwords.
The first way you can create a strong password is to take a sentence or two that is very familiar to you and that you will have no trouble remembering. Then, you’re done. Use that as your password, including the inherent capitalization, spaces, and punctuation. Almost any sentence will do. For example:
I have a yellow lab named Spot. We picked him out from Brown Dog Farms in 2018.
That is a great password. No way we will ever crack that one. If you want to make it easier on yourself, just take the first sentence. That alone is 31 characters. The second way to create a strong password would be to do the same thing, but this time, just take the first character of each word. So the above example would become:
Which makes a very nice, seemingly random 23 character password. This second method is slightly better as it is more resistant to combinator attacks, and if someone was looking over your shoulder it would seem random and be harder for them to steal.
Other Password Tips
Now that you know how to choose a strong password, there are a couple other tips related to password choice to make your life easier.
First, remember only one password. Make your life easier, and invest in a password manager. I use LastPass and love it. It is called LastPass because they say it is the last password you will ever have to remember. I honestly don’t know my password to my bank account. I login to LastPass using a very strong password, and then have access to all my other passwords and can use them to automatically log into websites.
Second, use multi-factor authentication wherever possible. Multi-factor authentication is a combination of at least two of the following: something you know (password), something you have (cell-phone), and something you are (fingerprint). Have you ever logged into a website and they made you verify with a one-time code they texted you? That is multi-factor authentication. Multi-factor authentication is a big deal, as it exponentially reduces the chances of your credentials being compromised, so you should use it any chance you get.