Eight Password Myths You Should Know
Some Popular Myths Related to Passwords
(This is a guest post by Jack Warner.
In this digital era, passwords are impossible to live without. We need passwords for literally everything; our mobile gadgets, laptops, PCs, Social Media handles, to borrow books from the library, and many other instances.
It is very easy to be misled on issues touching on passwords. Most institutions such as government and banking institutions randomly restrict passwords for several reasons:
- User education- There is need to educate users on the need for security by insisting that you use complicated passwords, for example, those that have a length of particular minimum length or one with special aspects.
- Poor security measures- Most sites save passwords in plain text, which means they have to put a restriction on the password lengths or character types.
- False security threats- A common way to get data from an SQL database is via an SQL injection. A hacker parses commands executable as programs, rather than entering them as passwords. Most sites, to protect from these types of attacks, ensure they eliminate characters that hackers might use in an SQL injection via passwords.
- In the past twenty years, passwords and systems used for securing them have changed exponentially. Not all systems, however, have moved with the program.
Generally, as a rule, be very cautious of a site that has more restrictions on passwords besides the minimum length. Many password misconceptions and myths surround passwords. The major ones are:
Passwords have no maximum length
A password can be as long as you need it to be, but it does not have to be 30 characters long. Your password becomes stronger when it has more characters, but 17 characters or slightly higher is more than enough. If you deal with encryption of very sensitive data such as a Bitcoin wallet or your private files, 23 or more characters is safer.
A service normally hashes your password and stores the hash only. A password is converted to a series of cryptographic hashes, which are arbitrary-looking strings of characters that the passwords have been mathematically changed into. This hashing prevents passwords from illegal access.
Passwords are 100% secure
In comparison to other options such as biometric or government ID or phone numbers, passwords are not secure. They are, however, the most used type of authentication, especially if they have the two-factor authentication process. However, not all two-factor authentication processes are similar. A secure password has:
- Strength, which means a hacker cannot guess or use the dictionary attack, or even use brute force on it
- It is the only one of its kind, meaning it has never appeared anywhere again
- Its transmission is over a secure medium such as correct HTTPS connections by someone who is fully aware of what phishing is. Phishing means engineering techniques used to steal passwords.
Passwords can contain any character
Your password might contain any character, but normally, it is not a guarantee that all sites will accept them. You can use a password generator to generate arbitrary and unique passwords. You can also use the generator to know how long or arbitrary your password might be or if new characters will make the password more secure.
You have to remember all passwords
You do not have to remember your passwords; you can use an available app. A password manager is a proof of how a security tool makes your life more secure and convenient. It generates and stores passwords that are secure, and you do not have to struggle to remember them all. Some go the extra mile and refill the passwords automatically when you visit websites, which makes you secure from phishing.
You only need to remember your PC, laptop, or mobile gadget’s password, and your password manager’s password. When using a password manager, you should avoid password mistakes and use long phrases as the main password. A password generator generates a special arbitrary password for each of your accounts and relies on the default settings for complexity and length - mostly 20 characters with some numbers and a few special characters.
Passwords are becoming obsolete
There are many thoughts from different quarters on how to replace the password with a different technique, but no one has yet discovered how. Biometrics, such as fingerprints or facial recognition have security lapses. They are very useful for recognition, but not for authentication. Another technique, asymmetric cryptographic keys might be on their way to a new identification system but are very susceptible to phishing.
Regular password change is secure
Some organizations require you to keep changing your password, or even dictate how long a password you should use. They also have a rule on how many characters your new password should have to differentiate it from the previous password. This is due to a misconception that passwords might leak as time goes by.
These rules do not address the root of the problem but just deal with the symptoms. Most users, when asked to change their password, do the least possible changes to the old password, which gives a hacker a better chance at guessing the password. Eliminating the possibility of sharing accounts and educating all the users about leaks is a more effective way of addressing the problem.
Biometrics is foolproof
Biometrics is a convenient way to log in anywhere- just put your finger and voila! You are in. Using biometrics as a single-factor authentication makes stealing keys a likely possibility. After a while, your fingerprint or retina scan is stored as a series of 1s and 0s. If copies of these fingerprints end up in a hacker’s hands, you are in a lot of trouble.
There are many misconceptions about passwords, but it is clear that passwords are here to stay, and the only way to get around many problems that surround passwords is user education. Hackers do not sleep and are always devising ways to hack into user accounts. Weak passwords are a breeze for a hacker and they can easily guess an 8-character password, or use brute force to gain entry. Strong passwords, which are also longer, are however harder to hack into.
Get the password manager that manages your passwords and you do not have to remember them all. It definitely makes your life easier and you do not have to use the same password for all your accounts for fear of forgetting.
Most password managers also come with a password generator. Most would make instant strong, random, and unique password suggestions when a new password is required. When such random passwords are used, it’s essential to then always stick to the same password manager across different devices. Otherwise, it would be impossible to keep track of all of them since strong passwords are nonsensical and usually rather complex.
If you want to up your security game beyond passwords, the next step up would be a physical security key. The purpose of the security key is to eliminate the already small risk of a 2-factor authentication by text or app failing. Most would think that these are already pretty sound measures, but the truth is, compromising the authenticator app’s access and intercepting text messages are not impossible stunts. If the hacker were to go an extra mile to overcome these minor security gaps, a physical key would then be the only solution.
With a USB security key 2-factor authentication set up, the only way you can access your accounts would be by inserting the key into your device. These keys are made to be compatible with a range of different devices so they are extremely easy to use - just plug and go. A physical key makes sure that the account only recognizes you, the owner of the key and not anyone else with the right authentication code, which effectively minimizes the risk of impersonation.
Under most circumstances though, good password hygiene would suffice. Make sure you take the time to set up these parameters from now on to keep your important accounts locked down.
About the Author:
Jack is an accomplished cybersecurity expert with years of experience under his belt at TechWarn, a trusted digital agency to world-class cybersecurity companies. A passionate digital safety advocate himself, Jack frequently contributes to tech blogs and digital media sharing expert insights on topics such as whistleblowing and cybersecurity tools.