Maksim Kabakou - Fotolia

Security Think Tank: Cracking the code – what makes a good password?

In light of the fact complex passwords are not as strong as most people think, and that most password strategies inevitably lead to people following them blindly, what actually makes a good password and when is a password alone not enough?

Authentication is an instrumental discipline for cyber security because it ensures we are who we say we are. It is the most important phase of a process to guarantee the right people have the right access to the right information at the right time.

For that, we, society, invented access governance and a method to ascertain our identity: access with passwords. This dimension, however, brings some challenges that have proved, over time, to be painful in case that information is used by other people granting access, consequently, to systems and data.

We choose passwords depending on a number of variables and with security requirements driven by the systems and environments to be accessed. These platforms sometimes oblige us to choose quite complex combinations of letters and numbers that we, as humans, tend to forget (especially given the massive number of applications, servers, systems and environments we need to access).

It is said that a good password is one with no less than eight characters, alpha-numeric and difficult to guess (meaning, not obvious from a semantic perspective). The problem, then, is that we have too many to remember, to manage, to govern and we tend to find “other” approaches to “remember” them (such as using the same one in every system or even writing it down somewhere ... where it can be stolen by someone and then, she/he becomes us on that system ... leading without hesitation into the world of identity theft).

For that, we invented the discipline of password management; processes and procedures to make us remember the passcode we choose and/or to make it easy for us to auto-fill our credentials into the destiny. But, again, relying on just one thing to access critical information should not be enough.

It is unfair that access is granted to data just by something that we know (the password) rather than embracing the next step into access governance: two-factor authentication (2FA), which provides access using something that we know (the password) and something that we have (a device, a physical token that no one else should have). This approach is fantastic since it ensures with a great degree or certainty that we are who we say we are since someone might know a password, a code, but it is much less likely that she/he also has something that is in our possession.

It has to be said that many of the big names in the industry and social media giants highly encourage the use of 2FA to use their services as a way of preventing identity theft. There are commercial systems and also free systems to use in this direction.

Another way of capitalising on the idea of strong authentication is using a third dimension: utilising something that we are (combined with something we know and something we have). This opens the door to the world of biometrics and is about using what we really are as humans, the uniqueness of what we are through our retina, fingerprints, faces or voices.

This is now used by many suppliers given the fact that some devices provide accurate recognition of fingerprints and faces and makes it very difficult to tamper with since it is a very personal attribute (what makes us... us).

While I celebrate embracing biometrics for access control and recognise that the information stored in the device is highly encrypted and difficult to access, if someone could access that information and, somehow, fake it, once hacked, it is almost impossible to restore trust in biometrics because one cannot change her/his fingerprints, face or voice.

While changing a password is easy, it is not so easy changing who we are. As a consequence, the accuracy and integrity of using a third authentication factor should be treated with caution.

The magic of access governance and proper authentication comes from using not just one but more than one factor of verification of identity. Passwords that are easy to guess are one of the most common attack vectors used by criminals out there.

Every year, we still see passwords that are so easy that in a matter of seconds can be guessed by simple brute force attacks (I am talking about, believe or not, passwords like “1234”, “aaaa”... or even “admin”).

Ease of use for users

Luckily, systems now suggest complex passwords and pass phrases that they will remember for us, and that is good since it provides the difficulty for attackers to guess the credential and the ease of use for the users.

Once one is authenticated into the system, a type of keychain will ensure we have access to the systems that we have to; no more, no less. This approach, combined with two-factor authentication to critical systems and to sensitive information that requires another level of certainty will save the day.

Finally, in a world of clouds (in plural), with several environments we need to access to perform our duties, password management and access governance is not an easy thing. This is why the discipline of CASB (cloud access security broker) includes the need of authentication and authorisation (the next phase after one has been identified and authenticated), and it triggers the use of strong authentication to access the cloud.

The misuse of passwords is, in a big way, one of the threats of this world, and we in the security arena are here to craft the right policies, the right processes and the use of appropriate technology to adapt new techniques in order to grant the right access. We must combine what we know, what we have and what we are with one goal in mind: protect and defend. There’s nothing else.

This was last published in July 2018

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.