Four Strong Password Strategies

In my last post, I discussed password strategies that we don’t recommend, because they make one’s accounts much less secure. 

Today, I’ll be discussing password strategies that we DO recommend, including the ones that are currently in use at Deep Core Data and the one we’re looking into unrolling in the future. 

4. Random Sequences

I used to use passwords like |]u_'[3/<WJ+V200AtL)%/bQ9J(4O& for just about everything, because clicking the “generate password” option in my password manager was quick and easy for me, and I was usually impatient about rotating my password or setting up my account and getting on with things. 

I discovered the limitations of this strategy when I had to start transmitting passwords to other human beings on a regular basis, for things like granting other people access to accounts or resources. 

Now, my handwriting is fairly neat, if I say so myself. However, writing “|]u_'” in a way that makes it totally distinct from “I]u `” or “l)u-‘” is pretty challenging, to say nothing of reading this kind of thing out loud. In addition, it’s possible to create highly random passwords that are pretty easy to memorize using another method, but if your password management tool is lost or broken and you have to try to guess one of these, you are usually totally out of luck. 

These passwords are still very secure, but the next two options strike a better balance between confidentiality and availability. 

3. Diceware Passwords

This mechanism for generating passwords uses a table of words, frequently the Electronic Frontier Foundation (EFF)’s Long List: https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt and a handful of dice (or virtual dice, such as can be used by typing 20d6 into a search engine like Google. 

First, record the results of your dice roll in order, breaking them into groups of five, such as 43321 52254 54432 14514. Then, look up each group of dice results in your word list, and record the corresponding words. Using the “crtl+f” keyboard shortcut to find each group will make this process quicker. In our example, 43321 becomes overstay, 52254 becomes rinsing, 54432 becomes sister, and 14514 becomes caloric. 

To more easily distinguish one word from the next, it’s a good idea to capitalize the first letter of each word. To ensure that the new password meets complexity requirements based around the different kinds of characters, we typically add 1!, but any number and symbol will work. In our example, then, our diceware password is OverstayRinsingSisterCaloric1! – not exactly effortless to memorize, write down, or type manually, but much easier than our previous password  |]u_'[3/<WJ+V200AtL)%/bQ9J(4O& while still being extremely difficult for other humans or computer systems to guess. 

Even a human like you who knows that I use diceware passwords on all of my email accounts can’t get into any of those accounts any more easily, because diceware passwords are too random and too complex, and the dice are no more likely to roll words related to my interests and me than words that are totally unconnected to my life and my values. 

2. Multi-Factor Authentication

We’ve talked about this before, but no matter how strong your password is, there’s always the risk that you might be phished or tricked into letting it fall into the wrong hands. There is also a much lower – but still real – risk that your computer could have a keylogger or other spyware on it that collects your password. In addition, a person in your life (like a controlling partner or relative) might get your password from wherever you store it, or ask you for it due to an emergency and then misuse it. 

MFA (Multi-Factor Authentication) ensures that even if someone else has your password, they need a second factor (biometrics, a software token on your phone, or a physical object like a USB security key) to take control of your account. 

1. Passwordless Authentication

If you’re used to thinking of continually more powerful passwords as the best way to sign into services online, this one may surprise you. 

The majority of the time, users of online services return to those services on familiar devices from familiar locations, and those services “remember” the users and do not require them to sign in again. 

When most people verify their identity to other people, such as an airport security officer, a registry of motor vehicles representative, a bank teller, or a liquor store clerk, they do not use a password or even a special code like an ID number. Instead, they use a physical object like a passport, drivers’ license, or debit card to establish their identity. Sometimes the person doing the verification checks the human being’s appearance corresponds to the face on the document. 

Passwordless authentication works in a similar way – users confirm just once that they’re the legitimate owners of a specific computer, smartphone, smart card, or security key. Then, they may have to periodically re-verify their access to the device with biometrics such as fingerprints and facial recognition, especially if they bring their devices to new locations. 

Both Google and Microsoft have provided more details about their efforts to distribute passwordless authentication here and here respectively.

But on a day-to-day basis, users do not have to remember their passwords or type them in, saving everyone time, energy, and frustration. 

Deep Core Data is currently reviewing the latest research on passwordless authentication systems, and making tentative plans to unroll this new technology on our own services. 

If you’re interested in working with an IT company that is continually striving to improve and to implement the best possible strategies for securing your systems, please feel free to contact us today.