skip to main content
Menu

Password Security: Top 5 Best Practices

Nearly every day you hear about another password breach with big names being involved with breaches such as Gmail, Microsoft and more. It’s more important than ever to move away from simplistic passwords and to implement a modern and secure password security policy into your business.

Notepad with Password 123456 written on notepad demonstrating poor password security

At Invisible Dragon we encourage everyone to use secure passwords, and more important secure usage and storage of passwords.

Tip 1: Password Storage

Do not store your passwords on a notepad! That should be one of the first tips to follow. Next is to invest in a good password management platform and to not just rely upon the “Save Password” in your browser.

One popular option is to use a platform like 1Password which has been an industry leader in providing just password security for many years now. Another option is to use Zoho Vault which has a free plan, as well as being integrated into the highly affordable Zoho Workplace which includes email, file storage, password management along with being integrated into the rest of the Zoho applications as your business grows.

Both options allow for secure sharing of passwords between team members, and allows you to pick a singular secure password to remember and then allow all of your other passwords to be securely generated and stored.

Tip 2: Opt for a passphrase over a password

Advice from the National Security Centre advises for a more passphrase approach over a password. This means instead of a short password with numbers and special characters (where possible – a lot of websites follow older guidance!) such as P1ssw0r!d then picking a phrase or sentence which you can remember like LucyPicksApplesInTheGarden is a much more secure phrase – even better if it mentions something nonsensical or even false to prevent an engineered attack by someone guessing what phrases you may have used.

This is due to the way passwords are typically hacked. Typically every single combination of every single letter is used in combination. A simpler way to imagine this is a padlock with digits 0 to 9, and now imagine every single combination for every additional digit you add to the padlock. Very quickly you expand into the billions and trillions of combinations a hacker needs to check, even if they go by dictionary words – the English dictionary contains thousands of words – and you could have even misspelt a word (on purpose or not) to make it even more tricky for a hacker to guess.

XKCD comic explaining entropy and how a longer password is much more secure. A basic version is described in the paragraph above.

Tip 3: Different Passwords

Using a different password for each individual service is recommended. However purely using a typical pattern where you use the name of the service can lead to an easy hack if you sign up to a lot of websites.

Sadly not every website takes password security seriously. Good websites (including every website we’ve ever built!) store your password in a secure “one way” encryption – this means mathematically it’s impossible to turn the format we store back into your password. We can however, whenever you type in the correct password, run the maths again and get the same result, allowing you back into your account. (Yes this is a simplification of bcrypt and such for those hot on their encryption algorithms).

This means just one website needs to store your securepassword_thelocalappleshop.com password in an easily visible format, and then be hacked and your email address and this password appear in a breach. From this point, a targeted hacker would likely try securepassword_gmail.com for instance and try to access your emails next and then the next thing and the next.

If you set up a tool such as 1password or Zoho Vault, these tools have password generators built in which can give every website a password to not only meet it’s password security policy but also each website getting it’s own unique password. If the site is compromised then it’s a more isolated breach.

Tip 4: Two Factor Authentication

Where a website offers it, using two-factor authentication is always better. This way, even if someone got through the password they don’t have access to your two-factor device to generate a code based on the current time.

While they can be a nuisance to set up, they do provide a valuable extra tool against unauthorised access. However, try to opt away from using “Text based” or “SMS based” two-factor as tech-savvy hackers can ask for your phone number to be moved to their phone and then steal an access code.

If you need to, the tools mentioned above also take care of this.

Tip 5: Moving beyond passwords – Passkeys

One of the more modern inventions is a Passkey and they are becoming more and more popular. All modern browsers support storing them, and the tools mentioned above can also store them. Effectively removing the requirement for a password with a specific strength completely and replacing it with a more secure encryption mechanism.

Passkeys also benefit from never leaving your device. Even if someone compromised your internet connection, they do not get hold of the actual passkey when logging into a website. Instead a “challenge” is provided, which is completed on your device and then sent back – and depending upon this result will give the website confidence you are who you say you are.

Simplified, but it effectively means your key to the castle is never sent to the castle. Instead, you sign a document which the castle can check to see if you have your key and allow access.

The biggest problem with passkeys is by default they don’t move with you. If you use Zoho Vault or 1password, they can be stored within your secure encrypted vaults and be synced across your devices. While you need to trust one of these entities, it does significantly reduce any kind of attack surface.

Conclusion

In conclusion, it’s important to have a policy and process in place for your password security before it is too late otherwise you risk loosing data when it is too late. While it can have a small monthly cost for the best tools to help manage passwords even for a single person business, up to multi-national companies with thousands of employees – it is worth it to have peace of mind.

And here at Invisible Dragon we’re here to help small businesses understand good password security and build good policies in place to help them scale.