Password Best Practices

Best Practices for Password Security

Password security is as important as a strong lock to your vault door! If the lock is broken or the password is breached, you might end up losing important valuables, personal information and even sensitive data.

It is important that the password used for one service is not reused for other services. However, that also creates a problem to remember many passwords! It is common to struggle with remembering passwords and by the time we memorize the current ones, it’s time to change them again!

Following are a few best practices you can follow, to make your passwords fool-proof and stay ahead of malicious hackers-

  1. Creation of a strong Password
    The first rule is to refrain from using personal information – name, phone numbers, family name or name of pets as your passwords. These can be easily guessed by anyone who has access to your personal information. Second, ensure that passwords are long and complex. Complexity can be defined as including a mix of uppercase and lowercase character, using numbers and special characters. This would make the password less likely to be hacked.

    Here’s an interesting trivia –

    The number of possibilities with a password of 12 character length and mix of uppercase and lowercase character, using numbers and special characters is 62 trillion times more than the number of possibilities with a six character password comprising of only lower case characters!

    Third, since it gets difficult to remember a single word, it is recommended to use a “Passphrase”. Using a passphrase means using a sentence, rather than a random word. For example, I have a poster of Buddha on my work desk which reminds me to stay happy and grateful. I can use the phrase “Stayhappyandgrateful”. Now, I can increase Its complexity by using uppercase, lowercase, special character –
    “$t@yHappy&Grateful”. Notice the use of special characters in the first word.

  2. Change passwords if you notice any suspicious activity or you are notified of a breach
    If you notice a suspicious activity on your account (for example, a failed login attempt that was not done by you), or if you are notified by the service provider of a breach, change the password for that account immediately.

  3. Don’t reuse old passwords
    It is tempting to reuse old, familiar passwords for easy recollection. However, this can invite trouble. This makes the password easily hackable. This could be from someone who has seen type your passwords repeatedly or has overtime guessed it.

  4. Don’t use same password for multiple accounts
    If a hacker cracks it, then they will waste no time in trying this password in other services. Hence, every account should have a unique password.

  5. Set up 2FA
    2FA or 2 Factor Authentication, as the name suggests is adding a second layer of security for authentication. The idea of 2FA is to create a login method leveraging-
    • Something you know – PIN number, password or a pattern, or knowledge factor.
    • Something you have – credit card number, email, mobile phone, called possession factor.
    • Something you are – Biometric – fingerprint, face scan etc, or inherence factor.

      2FA provides the best protection from attacks if a password gets breached.

  6. Don’t share your passwords with friends or colleagues, whether junior or senior.
    Never share your passwords with anyone, friends or colleagues. According to a  Forrester research, it is estimated that 80% of security breaches involve theft of privileged credentials. Also you will then have no control over the potential mis-use of your account by the person who knows your password.

  7. Store your passwords safely
    It is absolutely not advisable to write down your passwords in easily accessible journals or worst, as “sticky notes” on the desk! Users can explore “password managers” in case they struggle with remembering passwords. Most password managers have multi-factor authentication, so the chances of password leak are reduced. Also, their sync across devices are encrypted.