So you think you know what a secure password is? Think again. No, seriously. The chances are that the hackers are way ahead of you in terms of truly understanding secure password construction, and more importantly password deconstruction methods as well.
Brute forcing tools abound, which use both dictionary and hybrid dictionary methods to break the kind of password that many think are impervious to such automated breakage. Simply not using dictionary words is no longer protection enough, hackers can crack substitutions such as P455w0rd! instead of password in a matter of minutes. So what does constitute a secure password these days then?
Secure password construction
Current thinking dictates that a secure password needs to be not just eight characters in length anymore, but at least 12. Current thinking also dictates that in order for an enterprise to successfully implement a secure password solution it must consider three parameters: the level of security, the cost implication and user-friendliness.
The last of these is often overlooked, and that's a big mistake as Jan Valcke, president and chief operating officer (COO) at VASCO Data Security, reminds us that "attention must be paid to ensure that extreme password complexity rules don't break the overall security of the scheme because users start writing down passwords".
But how can you build complex passwords that are at least 12 characters long, include special characters and are not dictionary words, without breaking that user friendly rule?
Rik Ferguson, senior security advisor at Trend Micro, suggests you think of a memorable phrase such as "Motley Crue and Adam and the Ants were the soundtrack of my youth" and then take the initial letters to form MCAAATAWTSOMY. "This will be the basis of the password" Ferguson advises "but we need to make sure to a mix of upper and lower case characters, numbers and special characters".
So mixing cases gives us McaAatAwTsomY, changing the o to an 0 produces McaAatAwTs0mY and finally the special characters are introduced by changing the first 'and' into + and the second to & which gives us Mc+A&tAwTs0mY. Ferguson recommends using the symbol as it's overlooked by many brute force tools, so the final password would be: Mc+A&tAwTs0mY
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
I love magic links – why aren’t more services using them?Opinion Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
-
Password management startup Passbolt secures $8 million to shake up credential securityNews Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round.
-
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrencyNews The hackers behind the LastPass breach are on a rampage two years after their initial attack
-
GitHub launches passkeys beta for passwordless authenticationNews Users can now opt-in to using passkeys, replacing their password and 2FA method
-
Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectorsNews Database admins are advised to enforce better controls as attacks ending in ransomware are being observed
-
No, Microsoft SharePoint isn’t cracking users’ passwordsNews The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
