Guidance on what makes a good password

The more critical the system, the greater number of layers of authentication it should include. However, the traditional password still remains the primary method of user authentication. And despite the number of layers included in the system, they all generally rely on a username and password combination.

When creating a password policy, administrators should focus on these three key elements:. A password policy is a set of rules created to improve computer security by motivating users to create dependable, secure passwords and then store and utilize them properly. Normally, a password policy is a part of the official regulations of an organization and might be employed as a section of the security awareness training. Passwords are a first line of protection against any unauthorized access into your personal computer.

The stronger the password, the higher level of protection your computer has from malicious software and hackers. When you are utilizing a corporate network, the network administrator may encourage you to use a strong password. To be able to create a strong password, you should be aware of the criteria to make one.

Tips for keeping your password secure Change it regularly—once every three to six months. Change it if you have the slightest suspicion that the password has become known by a human or a machine. Never use it for other websites. Never save it for a web form on a computer that you do not control or that is used by more than one person.

Never tell it to anyone. The most important thing to remember here is that the words need to be random. It should also be much easier to remember than a traditional random password. The Diceware website provides a numbered list of words. You roll traditional six-sided dice and the numbers that come up choose the words you should use. And, while the differing length of the words makes brute forcing the password very difficult, you could always complicate things even further with a simple-to-remember pattern—one that would also make the password pass the test for forms that check passwords for complexity.

And what if the system is public-facing? We could keep going here and analyze other risk factors, but you get the idea. The further down the risk rabbit-hole that you venture, the less sense a one-size-fits-all approach to password length makes. Simply put, control strength must follow logically from inherent risk level. Password length gets a disproportionate amount of attention compared to other password settings such as complexity or age, but each setting can influence risk profile.

Layer on multi-factor authentication MFA , and the conversation changes again. Individual controls should not be considered in a vacuum, and the same holds true for password length.

Then there is that pesky human element that keeps every ISO up at night. The truth is, tuning some password settings up too high can actually make you less secure. If you make authentication too difficult, the humans on the other side of the keyboard may find inventive ways to circumvent your carefully crafted controls.

If they do choose something harder to guess, they may have trouble remembering their new-and-improved password.