Passwords & Complexity - III

Chris Cassell, Technical Team


  • Security Blog

…What should we do to make things safer?

Well I‘m going to give a list of decent, scientifically provable methods for better security. It's up to all of us to campaign for people to start using these much more sensible, much stronger techniques to make our lives easier and the bad guys lives much harder.

  • Reduce the fake complexity of passwords but insist on a decent minimum length. You don‘t need a massive amount of random characters, but you shouldn‘t use a single word of something easily associated with you. Rather use a string of different words; a phrase of at least four parts is a very good guideline for strong security. Capitalising some of the words and adding a special character or two where they make sense in the phrase is extra secure but not necessary.
  • Don‘t have password replacement automatically all the time. It does nothing for security and just leads to password burnout. People start using simpler and simpler passwords to account for the constant need to make up new ones, or they just add or change a single character to their old ones. This doesn‘t add much entropy and so doesn‘t help. Rather instigate security measures that inform users about their accounts login activity so they can spot problems and report them, this leads to actual detection and much faster fix time.
  • Use technology that stops attacks on passwords. Passwords should never, ever be stored in plaintext. Any system where someone else can actually tell you your password is a very bad system. Passwords should be held as hashes or encrypted using strong algorithms. Instigate password attempt thresholds or time outs to stop computer attacks being able to brute force passwords.
  • Implement two factor techniques everywhere possible to avoid the reliance of passwords only for security. By implementing strong two factor you ensure that even if a password is breeched it is useless without the additional physical item that the two factor is based off of; demanding threats have to do a lot more work.
  • Audit logon successes and failures have an automated system that warns of unusual activity in both regards and flags it for investigation. This will allow accounts to be locked or adjusted prior to an actual breech or minimise the damage when accounts are found to have been used out of hours.
  • Never use default passwords for anything; always change passwords on every device and account from the one it comes with.
  • Consider implementing password management software that allows the automatic generation and storage of account passwords. This requires users to only have to worry about the master password for their password manager and ensures a certain level of complexity and entropy from the machine generated passwords.
  • Leave a comment

    Comments (0)

    Latest News

    • Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme

      Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme ...Read more


    • Zero Trust networks with zero hype - an overview of real world deployments

      An overview of the NCSC CloudClient project in the context of Zero Trust network characteristics ...Read more


    • Measured Boot & Measured Execution for Device Health

      Using Measured Boot & Measured Execution with Remote Attestation to measure Device Health with Paradox OS ...Read more