Password Password Password

Photo credit: Avengers Infinity War

Nothing is certain in life except death and taxes… and passwords. Passwords exist in almost every aspect of our digital life; we use it for social media, e-commerce, internet banking, and accessing work email. But what’s considered a good password?

A good password should be a blend between entropy, length, and easy to remember. We recommend starting with a passphrase (3–4 random words) and complementing it with uppercase, symbols, and digits. Avoid using information that can be related to you to form your password (e.g. place you live in, favourite colour, pets name). This should meet 90% of the password requirements out in the world. This article from our colleagues at Cyber Security Agency of Singapore also has a checklist for creating a strong password.

Photo Credit: https://xkcd.com/936/

Phishing and brute force attacks are some of the most common attacks we have seen from news reports. Understanding how malicious actors crack passwords teaches us how to create better and stronger passwords.

Photo Credit: National Cyber Security Centre

So, how do we exactly choose?

Check out this youtube video to learn more about password entropy and techniques that malicious actors use for cracking passwords.

Now that we know what a good (secure) password is, we will be sharing some tips on ways to protect them to help keep your accounts and information safe.

Check if your password(s) is/are safe

Before we do anything else, we should always check if the existing password(s) that we have is/are still safe.

Data breaches and password leaks are no longer rare in this day and age. One way organisations and governments get alerted if their users’ accounts are found inside data breaches is by enlisting security services such as Have I Been Pwned (HIBP).

HIBP allows you to search across multiple data breaches to see if your email address or phone number has been compromised. If either of them is flagged as pwned, you should change every account that has the same password associated.

Example of an email being flagged by HIBP

On the other hand, great job if none has been flagged! However, this doesn’t mean your password is 100% safe. It may be compromised in another breach that is not publicly disclosed yet. Thus, rotating each of your passwords every year is a good place to start. Later on, you may increase or decrease your password rotation intervals based on accounts’ sensitivity.

Never reuse password

We want to minimise our attack surfaces from malicious actors. We can do so by setting different passwords for different accounts. This protects ourselves from losing access to every account in the event one of them is compromised.

Easier said than done right?

Different password doesn’t mean changing the last digit of your password (e.g. thisismypassword1 and thisismypassword2). Doing this doesn’t provide additional protection to your account because this way of managing passwords is also well known by the attackers. What they would do is create a wordlist of passwords with different suffixes and attempt to login to your other accounts. This article explains in depth why incrementing passwords is a bad idea.

We were all once guilty of using the same password for different accounts. Let’s do a simple exercise, just count on the top of your head how many social media accounts you have right now. Average person can easily have >20 accounts to manage. It is just impractical and inconvenient for our human mind to memorise so many multiple complex passwords.

This is why having a password manager can help.

P.S. Never write down password on a piece of paper!

Use a password manager

Password manager can help to create and manage randomly generated passwords for all our accounts. One of our favourite features is that they can autofill username and password across all our devices. Some password managers also provide a dashboard showing your password hygiene.

Screenshot of dashboard showing weak and reused passwords

Screenshot of dashboard showing how many passwords are weak and at-risk

Learn more about the different password managers and their pros and cons here and here.

Enable two-factor authentication

Always enable two-factor authentication whenever it is prompted. Two-factor authentication complements strong passwords and gives our accounts another layer of defence against malicious actors; it prevents an attacker from accessing your account even if s/he has your password.

If you have any tips that you like to share with us, do leave them in the comments section below. Till then, stay safe and keep learning!

🧙🏼‍♀ Team Merlin 💛
Application security is not any individual’s problem but a shared responsibility.