In the office or on the web, the password policy is often complex. Who has never forgotten a password? Back from holidays or on a website less used, our memory sometimes fails. Several studies have found simple solutions to protect our accounts and information.
Ineffective password policy
Some people pretend we have become lazy. Not so long ago, we new all our family and friends phone numbers. Now, we use a computer to think on our behalf.
I tell them that today, I have to remember the username and password for more than fifty accounts. From my electricity provider, to all the e-commerce and social media sites, including taxes and my children’s school, without forgetting my employer, everyone requires a username and password.
Of course, they all have different constraints: minimum (or maximum) number of characters, types of characters allowed or forbidden. In the end, everyone uses the same passwords. We have the same substitution and incrementation techniques when the password policy imposes it. @ for a, ! or 2021 added at the end.
Hence, the most common passwords are 123456 and 123456789. By constraining users, the policies produce the opposite effect.
How to create different passwords on each site
It is easier to use the same password everywhere, with a slight change if it doesn’t fit in the password policy. Unfortunately, if one of the sites is hacked, your digital identity (username and password) will be compromised, and it will be tested on a large number of other sites, automatically, to access your data, or request information. money to your friends.
The easiest technique is to use the name or part of the name of the site in your “standard” password.
Hence the passwords 12345Facebook 12345Amazon are a little above the simple 123456789, although they are still not the most secure.
The safest passwords
Until quantum computers are with us, the computing power of computers will remain limited. The longest passwords are the most secure, even if they are not complex.
In theory, the more varied the type of characters, the longer the decryption time. But all too often, the same symbols are used, or worse, the same password on different platforms.
Multi-factor authentication is the best solution, but it is often not an option because of its cost.
In this case, a password of 15 characters, even if it is only lowercase, is as secure as a password including 12-character symbols. And it will be much easier to remember « wearethestrongest » than « Weare$tr0ng ».
To learn more about passwords and our ability to remember them, I invite you to watch this TED Talk.
What is the best password policy?
The best policy is one that makes life easier for users. By reducing password forgetting, it avoids time wasted in reset and annoyance of users.
This policy is as follows:
- No complexity rule
- 14 characters minimum
- Use blacklists
- No expiration
Comme nous l’avons vu précédemment, la complexité bride la créativité des utilisateurs, normalise les mots de passe et les rend plus faciles à deviner. À partir de 14 caractères, le stockage du mot de passe (hash) ne requiert pas l’ajout de caractères nuls, il est donc beaucoup plus sécuritaire. Toutefois, pour éviter les mots de passe trop simples, il sera bon de bannir 12345, azerty et quelques autres.
Finally, the NIST SP 800-63B Digital Identity Guidelines recommends changing passwords only if there is evidence of compromise. That is, passwords should only be changed if they have been stolen. And believe me, not having to change your password every 3 or 6 months is a real relief for users.
Choose a simple and secure password
You know have to think passphrase. Much easier to remember and change according to the site you use, the passphrase can also be therapeutic. In the office, you have to type your password at least 3 or 4 times per day. Use it to motivate yourself: “Iamgoingforaruntonight” or to celebrate your efforts: “Iambetteratrunning”.
You can use a sentence or combine inspiring words: “Lifeisbeautifultoday” “eatsinglaughdanse”. Finaly, to diversify password it’s easy with “IfindeverythingonAmazon” or “IfindeverythingonFacebook”.
Given the number of sites that have had their databases hacked, it is highly likely that one of your passwords is known. Then it’s time to change and move on to pass phrases! You can also share this article with your IT department to encourage them to think about and update their password policy. By making your life easier, it is your efficiency and job satisfaction that increases!