What Makes a Good Password?

October 2020 | Michael Wetherald

In our article “Poor Passwords Are Like No Passwords” we discuss common techniques criminals use to exploit poor passwords. With these techniques in mind, we can put together some guidelines for passwords which reduce the likelihood of criminals succeeding.

Password Guidelines:

1. No Default Passwords

Even if you think it's random and secure don’t trust it. One of the first things criminals will do is look up default credentials for a device and attempt to log in.

2. Longer Than 12 Characters

Criminals can test passwords one after the other at incredibly high rates. High-end consumer GPUs can be used to test upwards of tens of billions of hashes per second. If the password is short, they can generate and test all possible combinations and test them in a very short period of time.

3. Randomly Generated

Password guessing and password spraying utilize commonly used and easy to generate passwords. Randomly generating passwords will significantly increase the number of attempts the criminal needs to make before finding a match.

4. Expiration Date

Criminals can often gain access to password hashes without being detected. This is where an expiration date is necessary. When a criminal is cracking hashes the only thing stopping them is the time necessary to find a match. Given enough complexity in the password we can extend the likelihood of them finding a match beyond the time password expires. In this case, when they come back to try to use the cracked password, the user has already moved on to a new one.

The Challenge

A common reason organizations resist implementing a password policy with these kinds of requirements is the burden it places on the user. A good password is difficult if not impossible to remember. Fortunately there are a host of technical solutions for you to choose from:

• Cloud-based Password Managers
• Local Password Managers
• Biometric Devices
• USB Devices

Defend Your Organization

Viam is here to help you navigate these different solutions to determine what option is best for your organization. We can also help you formulate a password policy to ensure your organization isn't leaving any doors wide open for criminals to exploit. Contact us today if you are ready to take steps to reduce the cybersecurity risk in your organization.