Skip to content ↓ | Skip to navigation ↓

Passwords may not be the favourite piece of your workday, however, I have a theory – if I could share with you the value of a password and the reality of how simple they can be to create; then passwords may not be the monster you avoid.

When you get the “your password expires in 5 days” notice, instead of feeling anxious or aggravated, let’s simplify what exactly a secure password is, so you can design yours with confidence.

Password Architect

Whilst it’s important to make sure your password isn’t guessable, is it really effective to substitute letters for numbers? Cybercriminals can be anyone, from the antisocial youth living in their parents basement, to your colleague who is kind, has a family, and really gives no reason to suspect otherwise. As humans, we tend to follow similar patterns, and something you may feel is distinctly unique likely isn’t.

When looking at creating a secure password, stop and use a sentence as your password, known as a passphrase.

“A positive memory from your past that won’t change. And remember that you can use SPACE between each word in most systems,” says Per Thorsheim, founder of PasswordsCon. Not only are passphrases easier to remember and often complex, but they’re also going to be longer, which is where the true security lies.

Dean Kelshall, Senior Manager at Baringa, thinks the following:

“The reasons humans fail at passwords is that we need so so many of them. One for hotmail, one for gmail, one for work, one for Facebook… the list continues ad infinitum. So we cheat (easy passwords, repeat passwords, increment the last digit) and we therefore become a weak link. Make passwords more memorable, longer, and change less, and we will all be better off.”

Dean believes that “a factor which is becoming more important in passwords is memorability.” Compare “seti9waiWE9w3£0%” to “Today I went to the (85th) Castle with Elliot” – which would be easier to remember for you?

Still don’t believe us? Take it from the original source: Bill Burr, the man behind the original 2003 password guidance, who admitted he was wrong.

Expires in 30 Days

Many organisations have the password rotation policy of 30 to 90 days, requiring users to change passwords to something not only new, but unique from the previous. How many users have entered their old password with a “1” or “!” in place? Does this policy actually work?

Per told me a story once of a company years ago that had quite an intense password change policy. This company required users to change passwords every 30 days; however, it kept the last 24 passwords. This means that if $userA set a password in January 2017, they wouldn’t be able to reuse the same password until January 2019.

From a management point of view, that may sound brilliant, but Per tells of one user that changed their password 25 times every password change, just so they could reuse their preferred one, forever. If you think that’s slightly excessive, think of all the users who’s only change was to append “!” or numbers onto their original.

Take Back Control

If you think of it, unless multi-factor authentication is implemented, a password is the only thing standing in the way of a malicious actor knowing almost every aspect of your life, by solving one password. With that in mind, the previously annoying password may start to look a lot more valuable. If you have the option to enable multi-factor authentication, then go for it as well!

Remember, cyber security is the process of layering on controls: people, process, and policies.

Often I have been asked if/when I believe passwords will be done away with, my answer is simple; never. The truth behind the password is it’s just another layer to our overall security. Passwords are what we generate in the world where companies are continuously breached and in some situations aren’t legally required to notify you.

So, why not take that tiny bit of the control back and design a secure password?

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.