Strong Passwords

Strong passwords are more difficult to guess using Brute Force and Dictionary Attacks.

Strong passwords are not just for users. Admins and developers need strong passwords most of all. Administrative accounts are far more valuable than user accounts. They have elevated privileges and access to more hardware, software, and information resources.

A strong password needs character variety.

Character variety increases the search key space.

Require all passwords to include at least one of all of these characters.

  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Symbols

A strong password should be long.

A longer password exponentially increases the search key space.

Require all passwords to meet minimum length requirements.

  • 8+ characters minimum for users
  • 12+ characters minimum for admins
  • 15+ characters recommended

A strong password avoids common weaknesses.

Avoid dictionary words. Dictionary words make passwords too easy for Dictionary Attacks to guess.

Avoid patterns such as keyboard, letter, or number sequences. For example, "qwerty", "abcde", or "1234567890".

Avoid using any personal information which could be known by friends or discovered through research. This includes information related to family, pets, college, hobbies, or sports teams.

A strong password is random.

It is more secure to pick a random sequence of characters. Computers are far better at generating truly random string than humans. There are many strong password generators online which can create random passwords.

A strong password is unique.

Do not re-use passwords. Having many internal systems which all use the same password allows an attacker who has gained access to one set of credentials to move around freely within a network.

Passwords used for internal systems should never be re-used on other sites or services. The security of their data is not under your control. This is one of the primary ways in which credentials are obtained.

Password Managers

Long, random, unique passwords are often avoided because they are difficult to remember. Passwords can be stored in a password manager so that they do not need to be remembered.

Requiring Password Updates

Some login systems require that passwords be changed to a new value on a regular basis. This is a valid security measure, however, it should be noted that it does nothing to make a password more secure. It only invalidates the old password. If an attacker possesses a password, or if a password was re-used on a compromised site, then it is a good security measure to rotate that password out of use. However, many security professionals argue that users feel overwhelmed by being asked to remember another password and choose weak passwords as a result.

Fork me on GitHub