Password Best-Practices: How to Fight Password Fatigue with 7 Simple Tips

September 24, 2020

In 2018, there were over 14 million victims of identity fraud, according to an Identity Fraud Study from Javelin Strategy & Research. Cybersecurity is increasingly important as the world becomes smaller and more connected. Identity theft, data breaches and hacking leaves not only individuals vulnerable, but can have extreme effects on businesses and governments. Individuals and organizations build up levels of protection to keep information safe, but is it hack-proof? How can we minimize the risk and strengthen the invisible gateways that safeguard our most precious data?

One of the biggest pieces of the security puzzle is creating strong passwords. There are a lot of terrible passwords being used, as this list of the worst 50 passwords exemplifies. The problem with these, and other flimsy passwords is in simplicity and predictability. It is easy to create a bad password, but takes a little effort to produce a secure one. 

Too many employees “still have poor password hygiene that weakens the overall security posture of their company,” according to 2019’s 3rd Annual Global Password Security Report from LastPass by LogMeIn. Your agency simply can’t afford for employees to continue using inadequate passwords.

To help, we have created a list of seven tips to help fight password-creation fatigue, and lead you and your employees to work on your security hygiene.

1. Make it Memorable, Not Just Complex

There is a certain old mode of thinking that secure passwords have a set number of letters, numbers and special characters. This type of complexity was thought to be the key to a secure password. This can still be true if the sequence is random. More often than not, creating a “complex” password in this way can actually be predictable. 

As this xkcd webcomic on password strength exemplifies, the password "Tr0ub4dor&3", while considered complex, is easy to hack because of its predictable character placement, capitalization and number substitutions. The password “correct horse battery staple” is easier to remember, but exponentially more difficult to hack. Important in this case is the random assembly of words - easy to remember but difficult to guess.

2. Keep it Impersonal & Unpredictable

While trying to create a memorable password, people often fall into the second trap and use a word or set of characters that has personal (and often obvious) meaning. Birthdays, phone numbers, and simple strings of numbers like 1234 are perhaps the worst offenders in this category.

Some gems from this list of the worst passwords:

123123
111111
iloveyou
12345
12345678
1234567
password
qwerty
123456789
123456

If you or an employee is creating a password, this list is a good place to start avoiding. These and many other weak passwords have simplicity and predictability in common. In fact, half of this short list is sequential numbers. Repetitive or sequential numbers, and simple words (password, qwerty) or phrases (iloveyou) are big no-nos.

In addition to avoiding simple and predictable, you need to avoid anything personal. This includes birthdays, anniversaries, social security numbers, phone numbers, addresses, family names and pet names. If someone can guess it or research it, then it should be out of the running.

Notable within this rule, is the true story of a 20-year-old student who was being held responsible by the Royal Bank of Canada for $8,879 in fraudulent charges made to her debit card. She mistakenly used the last four digits of her phone number as her pin. Don’t make the same mistake.

3. Length Matters

Longer passwords fare better. In Estimating Password-Cracking Times, BetterBuys shows the difference range from 7-character to 12-character passwords. The former can be cracked in a measure of milliseconds, while the latter would take two centuries to break. 

If you’re working off of the previous tips, and creating a random but memorable string of words, then length is easier to achieve in this manner.

4. Don’t Change Unless Necessary

Changing passwords regularly used to be a recommendation, but it isn’t necessary anymore if you have a strong password. Instead, you can check on continued password viability with a site like Have I Been Pwned which will show accounts that are compromised and in which ways. 

Or, use the site’s interactive password tool which has a database of leaked passwords. From the site, “Pwned Passwords are 555,278,657 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts. They're searchable online below as well as being downloadable for use in other online systems.”

5. Don’t Repeat

This might be the hardest rule to follow, but one of the best practices for creating and using passwords is to create a unique password for each account you access. If you repeat passwords across your user accounts, then once one account is hacked, they are all compromised. 

Just say no to password re-use. Because it is nearly inevitable for the average person to reuse a password, what with the numerous accounts that fall within their possession, the clearest answer to solving this, and many other, password issues is the next tip: get a password manager.

6. Manage Them Well

An assembly of sticky notes on your monitor, or a notebook page in your desk drawer aren’t the best way to manage your passwords, but they are the most common. According to the Pew Research Center, 49% of Americans write passwords down on a piece of paper, 24% store them in a note on a computer or device, and 18% save passwords on a browser. If these are one of your methods, then you’re not alone.

Especially when it comes to the workplace, writing down passwords opens up the possibility of fraudulent access, in the event someone gains entry to your agency. Using a password manager like LastPass, 1Password, Dashlane or Keeper will keep your passwords accessible to you, from wherever you need access. Additionally, you can make your passwords as memorable, long, random, impersonal and unpredictable as you want, without the necessity to memorize them all.

7. Enable Two-Factor

Perhaps the most important tip is this: enable two-step or two-factor authentication whenever possible. We cannot stress this point enough, adding an additional step in the login process will significantly reduce the possibility that an account will get hacked, regardless of how strong a password is.

According to Microsoft, who receives 300 million fraudulent sign-on attempts to its cloud service daily, there is one thing that stops 99.9% of those attempts: multi-factor (or two-factor) authentication. Google agrees, saying adding multi-factor authentication to a Google account “can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.”  

Two-factor and two-step authentication are slightly different, and when faced with the choice, you should go for the former. But both rely on a secondary step before you can gain access to a system. Often, two-factor authentication will be a code that is emailed, sent via SMS, or generated from a third-party authentication app like Authy or Google Authenticator.

For you and your agency, security should be the most important focus. If you're shopping for 3rd party software, make sure to follow these pro tips for your government to increase your security hygiene, whether used in managing your FOIA software, or other cloud-based and software systems. And make sure that your vendor enforces passwords based on the NIST 800-63B guidelines, like we do.