Passwords

by John Bandler

A password is a combination of characters (letters, numbers, symbols) to gain access to an information system (computer device, online account).

A password is frequently used as a type of authentication.

Similar terms may include passphrase, a phrase of many words that essentially form a password.

Password best practices in sum

Cybercriminals have been stealing and guessing passwords for a long time. The challenge is having passwords that we can remember and use, but that are hard for criminals (and their software programs) to guess.

Here are some general principles for passwords:

  • Passwords should be strong and unique
  • The strength should be commensurate with risk
    • Risk is different depending upon whether it is to access a cloud based system or just a device, the type of cloud account, the type of device.
  • Strong means it is hard to guess, has complexity, has length
  • Longer is usually better
  • A password can be "strong" without being impossible to use. Find the right balance.
  • If your password is impossible to use and you lock yourself out, that doesn't help.
  • Unique means passwords are not reused across accounts or devices
    • You could have a password "base" which is reused across many passwords, and then you add on to the front or end (or both) with unique characters
    • Note that this technique weakens your passwords. You need to decide if that is worth the risk.
  • Don't reuse passwords across important cloud accounts
  • Don't share passwords
    • As a general rule, but see below
  • Change passwords periodically
    • Not too frequently, not too infrequently
    • Though it weakens your passwords, you could change them by adding a character on to them, reducing brain stress
  • Cloud (online) accounts are accessible to anyone with Internet access. They should have strong passwords.
  • Important accounts should have stronger passwords
  • Computer devices are accessible only to anyone who possesses them. They might not need as strong a password as a cloud account.
    • Reusing passwords across devices might be an acceptable risk (you need to decide)
    • If your computer device unlocks with your cloud password, then that cloud password needs to be strong and unique
  • Password decisions reflect are a compromise of security (confidentiality) and access (availability)
    • For example, the password 123456 will give you great access, you will never forget it. But that's why many humans do this and many criminals guess it, so you would sacrifice security.
  • Don't create such password complexity and confusion that you lock yourself out
  • Passwords represent "something you know", one of the three factors of authentication
  • Passwords alone are often insufficient to secure cloud accounts. Consider employing two-factor authentication

Password sharing

As above, the general rule should be "Don't share passwords".

But sometimes certain passwords need to be shared in a business.

Some methods of sharing are more secure than others.

Consider these principles:

  • Never store or share passwords in an unprotected electronic document. An attacker who gets access to the document gets access to all the passwords.
  • If storing passwords in an electronic document, require a password to open document. Put another way, the attacker who gets access to the document still needs to obtain, guess, or crack that document password to gain access to the rest.
    • The document password should be an appropriate complexity to balance ease of access and security (see above)
  • If storing passwords in an electronic document, know that there are many risks with this. Work to mitigate the risks with good document management and security practices.
  • Consider a reputable password manager, for example: LastPass, 1Password
  • Never share passwords by email (voice is best, text is good, other messaging is still better than email)

Related terms

This is a key term definition article

I created short webpages to provide definitions and best practices for certain key terms. This is one of those webpages.

A definition with some explanation and context, and not a full article.

These are terms that I have explained or defined dozens or even hundreds of times in my life, either through conversation or in writing. After explaining the term I try to explain best practices relating to those terms. These are terms or guidance that may appear in my cybersecurity policies.

Disclaimer

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform. You need to assess your own risks and decide. You assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words so cannot exhaustively cover all areas.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.

Conclusion

If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

This article is hosted at https://johnbandler.com/passwords, copyright John Bandler, all rights reserved.

Originally posted 3/30/2023, updated 8/21/2024.