Good Passwords

What is a good password and how should we advise users

So what is good practice with passwords?

  1. Don't share them with anyone
  2. Use a different password for each and every system / service / website you access
  3. Make passwords as long as possible, complex and difficult to guess
  4. Set a minimum length of at least 12 characters (aligning to Cyber Essentials)
  5. Dont set a maximum length
  6. Don't ask users to change passwords too often, they will just write them down or make them weaker by incrementing a digit on the end or similar
  7. Do change them periodically to cover any compromised password which you do not know is compromised (something you lost control of due to a breached site for example, that you haven't realised or been alerted to)
  8. DO enable Multi-Factor (MFA) / Two Factor (2Fa) authentication if its available on every single account (100% enabled and enforced on all cloud-based accounts)

How are the above possible, that is really difficult to manage?

  • Use a password manager to hold your passwords, you then have to have one complex password to access the "Vault" and with Multi-Factor Authentication (of course) to ensure that only you can access the Vault, you are sorted.

What password manager should I use?

To be honest, there are absolutely loads available on the market and its impossible for us to check and confirm what is the best one to use. You need to determine what is best for your organisation and what services do you need?
  1. Password sharing (where the system can have only one) is never exposed to the user utilising the password, they log in and the actual password is provided to the device/site/service without their knowledge of it.
    1. Whilst not acceptable for Cyber Essentials Administrative controls, this is a solution for where services have only a single password option and its shared with a limited number of admins, for example, unique local admin per device.

      Admin Account Separation / Cloud Services / Multi-Factor Authentication on Cloud

    2. This solution is ideal for users who then cannot see their password, so cannot be asked to type it in anywhere its not already linked, as they never know what it is.
  2. Single-Sign-On, using your Active Directory or another Global Authentication directory so users access the password vault with their own, single sign-on, the identity used to access everything else.
  3. Local Network Only or Cloud-Based - do you want it only for your team internally or securely available anywhere - is it just for you, your family or a wider support team.
  4. Device support - what devices will you use the software on and what operating systems as it's no good if the solution doesn't work on all your devices.
  5. Browser Support - does it integrate into the browsers you use to log securely into websites for you?
  6. Desktop application/support for Applications (non-web-based) - do you have applications that need signing into that are not perhaps web-based and require the support of a password vault?
  7. User count and price - will it support all the users you want to put onto the product and at a suitable price point for your organisation.
  8. Reputation - what are other people saying about the solution

The Password - What is a Good Choice?

There are many schools of thought on password choice, those who like words (which can easily be cracked with rainbow tables) those who like alpha-numeric with complex characters (our preference) and those who have other ideas.

The key things are (we believe):

  • The longer the better, no maximum set, min 12 characters
  • Some complexity (eliminating Rainbow Tables)
  • Not changed too often (eliminating writing it down or reducing safety with rotating numbers, such as P@55w0rd01, P@55w0rd02 etc)
  • Do not reuse it anywhere! - one per system/service/device
  • String words together, ThisHouseIsLovelyInTheSummer!!! and add some special characters
  • We like complexity 8hxZvi5XxJrqrAX3KEFAQKsVq which is great in a password vault, but if you don't have a vault, use a string of words that mean something to you like the above.
  • Use Multi-Factor Authentication on absolutely everything that supports it, no excuses, everything - if its available, MFA it

Think About

What happens if you were run over by a bus, were hospitalised with something (e.g. COVID19) how would people manage to access your systems if you were the only holder of all the passwords?

  • A password vault with emergency access for example