Passwords have been around since the dawn of the internet but nevertheless remain the primary way of protecting data at Washington State University and other organizations.
Staff with WSU Information Technology Services want to remind members of the university community to follow a few important recommendations to ensure their passwords are secure.
- Passwords should be longer than 12 characters. With modern computing, it isn’t difficult for hackers to use brute force techniques to guess all iterations of a less than 12 character password within a reasonable amount of time.
- Passwords should involve a high level of complexity. Users should create passwords with upper and lower case letters, which are different characters to a computer and more difficult to process. In addition, mixing numbers as well as symbols into a password exponentially increases the number of iterations it would take for a computer to use a brute force method to crack it.
- Consider creating a passphrase that contains multiple longer words and swapping letters with numbers or special characters to make it easier to memorize longer, more complex passwords.
The math of passwords
If a password is comprised of only lowercase letters, and is 6 characters long, then the total number of password variations possible is 308,915,776. That may sound like a lot, but when a single computer can guess millions of passwords per second, it would only be a matter of minutes before it managed to guess the correct password. Adding upper case characters into the mix increases the number of possible password variations to 19,770,609,664 — a significant increase in possibilities that makes the computer work much harder to guess the password.
By introducing the possibility of numerals as well as special characters, and increasing the length of a password beyond 12 characters, the number of potential password variations increases exponentially, making it less likely that an attacker will rely on simple password guessing.
The most popular passwords that are cracked and stolen during breaches often involve a variation of the word password, some string of numbers, or a variation of popular words. A targeted attack on a set of login credentials will often involve the attacker doing research on the owner of the password and guessing variations of important dates, names, or hobbies. The attacker will use dictionary attacks — throwing word sets at the password to see what sticks.
Here are a few additional tips that WSU IT professionals recommend to ensure logins are safe:
- Never use the same password for more than one login. This prevents an attacker from accessing all of a user’s accounts should their password be compromised.
- Use a password manager to keep track of many different passwords. BitWarden, LastPass, 1Password, or KeePass are all good options to keep track of passwords. WSU users can contact their area technical officer to find out which among these providers are approved for use in their area. Ensure that the password used to access a password manager is a strong one.
- Be wary of any link in emails that request a user to click or login. These can be used to steal usernames and passwords.
- Do not share passwords. This should be considered common sense.
- Activate the option for multi-factor authentication (such as a confirmation email or text message) on every account where it is available. This adds an additional layer of protection in case a password becomes compromised, and in addition can alert a user to when someone is attempting to access their accounts.
These measures may make logging into work-related platforms more time consuming but having accounts breached is far more intrusive than the extra seconds it requires to login.
Members of the university community with questions about passwords, or any other information security topic, can feel free to reach out to the WSU information security team at email@example.com.