Skip to Content
a laptop cartoon with the text passwords are not enough

Passwords are integral of modern security, used in all areas of everyday life, from shopping for groceries online to system administrators for the most critical national infrastructure that powers electricity, water and much more. For most people, a password is the first line of defence against potential threat actors aiming to gain access to their data and identity. Passwords however are not secure enough by themselves to protect against threat actors.

Recent studies testing the time it takes for an attacker to brute force guess a password (to continuously attempt account login attempts until successful) shows that a password with a character length of 6 using a combination of upper and lower characters, numbers and special characters could take an attacker 2 weeks to crack. This can significantly decrease, if the password uses dictionary words or has already been in a successful attack elsewhere.

So how can we protect accounts?

  • Use Unique Passwords: Avoid reusing passwords across different sites. This way, if one account is compromised, others remain secure.
  • Create Complex Passwords: Combine uppercase and lowercase letters, numbers, and special characters. Aim for a minimum of 12 characters.
  • Enable Two-Factor Authentication (2FA): Adding an extra layer of security, 2FA requires a second form of verification, such as a code sent to your phone, making unauthorised access more difficult.
  • Use single sign-on systems: Single sign-on (SSO) allows staff to use just one set of credentials to automatically gain access to multiple applications and services. So, a user might log into their work machine and have access to everything they need, without having to enter another set of credentials.
  • Utilise Password Managers: These tools generate and store complex passwords securely, reducing the risk of human error and simplifying password management.
  • Change all default passwords: Default passwords are usually reused passwords that are given from different applications and services, that can be often reused.
  • Don’t enforce regular password expiry: Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.

Forcing password expiry carries no real benefits because:

  • The user is likely to choose new passwords that are only minor variations of the old.
  • Stolen passwords are generally exploited immediately.
  • Resetting the password gives you no information about whether a compromise has occurred.
  • An attacker with access to the account will probably also receive the request to reset the password.
  • If compromised via insecure storage, the attacker will be able to find the new password in the same place.

 

In conclusion, while passwords remain a fundamental aspect of security, the effectiveness is slowly diminishing due to the lack of security awareness and evolving cyber threats. The alarming frequency of data breaches, with over 19 billion passwords compromised in recent incidents(Source: Forbes), highlights the need for strong password security awareness.