There’s a massive change coming in the world of IT security. Passwords are likely to be replaced by a simpler, more secure system.
Only here’s the kicker: it isn’t happening yet. Which means we all need to follow best-practice password security tips for a while longer.
In this post, we’re going to give you an overview of what’s on the horizon and why. But, because things that will happen tomorrow aren’t very good at protecting us today, we’ll end this post with password security tips for 2023. This will help to keep you safe until the important changes arrive.
What’s Wrong with Passwords?
Too often, they’re rubbish. And everyone hates them. As attention-seeking as this may sound, it’s true.
A massive 81% of security breaches are caused by compromised, weak or reused passwords. Okay, if people only followed password best practice this wouldn’t happen. But they aren’t, because strong passwords are a hassle to remember. So, they use easy-to-remember ones that are relatively simple to hack. They also reuse the same passwords again and again, which makes which makes them, and their employers, vulnerable on many, many fronts.
Even password managers – the approach every password security tips post has recommended since forever – aren’t foolproof. They’re targets, too, as the LastPass breach in late 2022 showed us.
Meanwhile, there’s the hell of resetting passwords. You know the scenario. You forgot your details. But you’ve also forgotten the details for the second account used to verify the first one. So you get stuck in a password feedback loop and fear you’re never going to escape.
Summing up, we need something better. For our security and possibly our sanity.
Say Hello to Passkeys: Passwordless Authentication
There’s an answer to all of the above.
Passkeys.
Compared to passwords, these password-less logins provide quicker, easier and more secure sign-ins across devices, websites and apps. The tech industry is convinced of the benefits and is keen to swiftly move forward with a transition to this new approach. Apple, Microsoft and Google now all support, or implement their own, passkeys.
Here’s how they work. Instead of having a password for an account, you enable an ’authenticator’, typically your device, to create a secure passkey (cryptographic key pair for that account). Passkeys require either biometric authentication – think fingerprints or facial recognition – or a PIN and swipe pattern. Here’s the crucial point: a scammer can’t easily gain access to passkey-protected accounts unless they have the user’s device in their hand. And, even then, they aren’t getting in without your biometrics or pin/swipe code.
Passkeys can sync across devices securely using Bluetooth, making them seamless and convenient to use. There’s never a weak or ‘middling’ passkey – they are always strong. And, because accounts can’t be unlocked remotely and the authenticator needs to be on hand, they are resistant to phishing.
At the centre of this big change is the promisingly named FAST ID Online (FIDO) Alliance. It has set the industry standards for passkeys that Microsoft, Google and all of the big players are starting to roll out.
So Passwords are Dead?
Not quite.
Like some tech version of Stockholm syndrome (where victims sympathise with their captors), we continue to hang on to our much-maligned passwords.
The FIDO alliance has acknowledged that it’s not easy to break old habits. Says Andrew Shikiar, executive director, ‘It’s a learned behaviour — the first thing you do is set up a password. So then the problem is we have a dependence on a really poor foundation. What we need to do is to break that dependence.’
Easier said than done.
Another tricky problem is that many password-less schemes require a user to have a modern device and at least one other device. That isn’t always going to happen.
Password Security Tips for 2023
So we’ve had a glimpse of the promised land of passkeys, but for now we trudge wearily back to the land of passwords.
It’s crucial until passkeys become ubiquitous that we follow good password hygiene. So here’s Intersys’ password security tips for 2023, to help you stay as secure as possible until an easier, phishing-proof method becomes commonplace.
Says Intersys MD Matthew Geyman,
“The objective of a good password is to increase randomness, known in the trade as ‘bit entropy’. This makes it harder for brute force cracking, which means guessing all password combinations (usually by deploying automated tools). I recommend a long password made up of three unrelated words. This has the virtue of randomness and, compared to strings of unrelated characters, memorability. Add some extra elements such as capitals and special characters and you’ll have an extremely tough nut to crack”
For instance, a password royalsandart (made up from the words royal, sand and art) will achieve 56 bits of entropy. This is considered strong enough for some purposes.
However, RoyalSandwichTransport, which includes longer words and characters, achieves 125 bits of entropy. This is much stronger.
Use this Password Methodology
- 16 characters or more
- 2 or more capital letters
- 2 or more numbers
- 1 or more special characters
So RoyalS@ndwichTransport72 would be an excellent password choice, with 157 bits of entropy. (But please don’t use it 😊)
How to Create an Even Tougher Password
If you want to add an extra layer of protection:
- Take the elements above
- Add a number of full stops ……..
- Add a phone number you know but never write down
That’s it. This is an excellent approach until the passkeys become commonplace. At that point securing accounts will get easier – and your data will be significantly safer.
Intersys is an award-winning IT services company with a dedicated cyber security division. We offer everything from breach response and training to full security operation services. To find out more, call +44 (0)20 3005 4440