Blog Password Best Practise for 2023

Password Best Practise

There are quite a number of organisations that publish best practise advice on passwords, and they don’t always agree. But there are a number of common factors which are universally held to be Good Ideas when creating a password, so let’s look at these first.

1. Password length

If there’s one thing that makes a password much harder to guess, it’s if it’s a long one. We’re talking twelve characters upwards here, and the longer the better; twenty or thirty would be preferable. “What?!” I hear you cry, “How am I going to remember such a long password?”. You don’t need to, because you’ll be using a password manager, and we’ll come on to those shortly.

2. Password content

The second main factor is what your password consists of. This will depend to some extent on the system or website you’re choosing a password for, but the usual suspects are upper and lower case letters, numbers and special characters. Obviously, you shouldn’t choose a password that is easily guessed, and this includes “Password1”, “Pa$$W0rd” and the name of your dog. The best password is a random combination of letters, numbers and special characters that means absolutely nothing to anybody and is securely stored in your password manager (still coming to those shortly).

But what if you aren’t or can’t use a password manager, and you need to be able to remember the password? In this case, there are two main schools of thought. The first is to use three random words which are unrelated to each other, but which you can remember through a bit of effort in associating them in your brain, for example “ScallopRocketUnderwear” or “CheeseFurniturePiano” (I’m not sure what the Freudian implications of this method are – Ed). The second is to use a passphrase where you take the first letter of each word, for example “I really like going to the moon and back because I’m a big rocket fan” becomes “IrlgttmabbIabrf”. After a bit of practice, these should become embedded in your consciousness and be easily retrievable, albeit for a limited number of passwords. And don’t worry about changing your password regularly – best practise says that this should only be done if you know or suspect your password has been compromised.

3. Password reuse

Great, so you’ve come up with a clever password that will never be guessed. Makes sense to use it on every system and website you come across, right? No, no, a thousand times no. The trouble is, systems get hacked and passwords stolen, so if the bad people know your password to one site, what do you think happens next? That’s right, they try it on lots of other sites, hoping that you’ve fallen into the password reuse trap. Then they give it (or more likely sell it) to their friends who try a whole bunch of other websites, and so on. I know people this has happened to and watching the panicked frenzy of them trying to log in to the sites the password is used on before the hackers get there is not a pretty sight. That’s if they can even remember which sites might be at risk. Use a completely different password for every website or system (and a password manager – coming soon I promise).

4. Multifactor

The last big hitter that everyone agrees on is the use of multifactor authentication. This is where you receive a text with a code to enter onto the screen when you log on. Or preferably (because phone numbers can be hacked too), you use an app on your phone to retrieve the number or respond to a message in an app to confirm it’s you. Fortunately, this is now very common and where it’s available you should definitely be using it.

5. Password Managers

At last we can talk about password managers (thanks for your patience). These are apps that store your login details (username, password, logon URL and anything else you need) in an encrypted vault that you can access from multiple devices. They can fill in your username and password automatically in most cases because they recognise the site you’re on, and this alone can be a major time saver. Because your details are stored, you don’t need to remember any passwords and so you can make them as long and nonsensical as you wish and use a completely different one for each website. Many password managers will suggest a password for you, so you don’t even have to think about it.

Additional functionality varies according to the password manager you choose, but many will give you advice about your existing passwords they consider to be weak, allow you to organise your logons in folders, and set restrictions on how the app can be accessed (for example from which countries and browsers).

So far so good. But there are maybe two areas that are the Achilles Heel of password managers; the first is the fact that you still need a master password to access the password manager itself – better make this a really good, long one, memorise it well and use the best multifactor option available (a secure key, such as Yubikey, is ideal). The second issue is that you have stored all of your credentials in the cloud and what if the password manager itself gets hacked? Unfortunately, this has happened in the past, and the jury is still out (not literally – no-one ever gets caught) on whether customers’ passwords have been obtained. The key here is to make your master password the best password you have ever created in your life, as this is usually what’s used to encrypt your data, and strong encryption is your best friend.

Closing Thoughts

The benefits of password managers really do outweigh the potential pitfalls, and they are your only chance of using different strong passwords on every system and website. One other interesting development is the use of single sign on (SSO) where one system or website trusts the fact that you have already logged on to another (for example Google, Microsoft or Apple) and this may reduce the sheer number of passwords you need in the longer term. But for now, passwords are everywhere and if we don’t manage them carefully, the danger is that someone else will.

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

More Cyber Security Resources

If Cyber Security Awareness Month has inspired you to take action, we have some useful resources to help.

• Cyber Security Blogs – We have a host of useful content relating to all things Cyber Security.
• Cyber Essentials Toolkit – Align to the UK scheme with help from our document toolkit, including all the templates and guides required to comply.
• ISO27001 Toolkit – Align to the ISO27001 standard for an Information Security Management System with help from our toolkit. Including 180+ documents, guides and templates, and unlimited email support.