Information Security: Passwords

Password Best Practices

Password recommendations and usage have changed greatly over the years. Below are the most current recommendations for best practices for password creation and storage:

Length over Complexity

Previous password requirements had users create password utilizing upper/lower case letters, numbers and special characters. However, recent studies show that longer passwords (12 characters or more) are more secure than ones made up of a variety of characters and cases. In order to reach these length requirements, it is recommended to use Pass Phrases. Short sentences that are easy to remember, but compacted without spaces (i.e. Thehorsesruninthemeadows).

Two-factor Authentication

Utilizing applications such as Google Authenticator or Authy provides an extra layer of security for accounts that are enabled to use this additional security step. Accounts that are especially sensitive, such as banking accounts or email, should utilize two-factor authentication to protect users from password compromise. These applications require a second passcode to be entered after the usual password in order to prove the user is the actual account owner. The applications change the passcode every 10-15 seconds, and the passcode is only retrievable from the registered device when the two factor authentication was set up. Two factor should be enabled and used with any account in which the service is made available.

Password Managers

Password managers are programs which keep track of your online accounts' passwords. The main feature of these applications is that they can generate completely random, cryptic passwords that you don't even need to remember. When signing into an online account, the password manager will enter your password for you. In order to have access to this "password vault" a master password is needed which provides access to the contents of the vault. It may seem counterintuitive to have a program which knows all of your passwords, but any practical alternative is far worse.

There are a number of password manager programs available to use, many of which come with a variety of features in free versions. One example is LastPass . You can download a free version of LastPass and test it out for yourself, at no cost. Other recommendations are Dash Lane or StickyPassword.