How to pick a good password
New Teach First password policy for 2023 (from 27th March):
- The minimum password length is now 14 characters
- Character complexity is no longer required (uppercase, lowercase, number, special character)
- Passwords will no longer expire
General Guidelines:
So, how do you create a “strong” password that is easy to remember? While it may seem tough to do this, there are a few simple tips that can make it easy
-
Use passphrases: The most important factor in password strength is length. Passphrases are a string of words, like a favourite song lyric or quote. These can be both long and easy to remember! Aim to create a passphrase that is 14 characters or more, as required by the Teach First password policy requirement. For instance, "BlueDolphinEats4Apples!". This can be easier to remember and just as secure as a complex password.
-
Use unique passwords or passphrases: You should have a unique password for each of your accounts. This way, if one of your accounts is compromised, your other accounts remain secure.
-
Use a password generator: You can use a website like https://mdigi.tools/memorable-password/ or https://1password.com/password-generator/ to help you create memorable, robust passwords.
Password patterns (Avoid these):
- 77% of passwords containing a single digit append it to the end of their password. 10% of the time, an appended digit will be a "1". If the password has capitals, 15% of the time it will be a "1" . Adding a 1 to the end of your password has become effectively meaningless for your security.
- 35% of passwords requiring a capital letter will capitalise the first letter .
- 89% of 7-character long alpha strings can be targeted by either capitalising the first character or capitalising the whole string.
- ~10% of users will model their password after their username.
Things to Keep in Mind When Creating a Password:
- Length is more important than complexity. This does not mean complexity is not important, just that length is more important. Shoot for length first, then complexity.
- Avoid common substitutions, as they are baked into password cracking rule-sets. Common substitutions include: a = @, i = !, s = $, etc. Same with adding a 1 to the end of your password and capitalising the first character. These are common patterns, and are well-known to crackers.
- Instead of thinking "password" think "passphrase". A single dictionary word is extremely bad. Four to five random dictionary words, perhaps separated by spaces or special characters, is robust. The benefit of a passphrase is that it is easier for you to generate entropy while still remembering your key. Generating entropy through randomised characters is hard, and results in a hard to remember password, meaning you will likely end up with less entropy.
- Avoid "password walking". This is using a password with adjacent keyboard characters (e.g. "qwerty", "1q2w3e4r", "1qaz2wsx", etc.)
Why have we changed the password policy:
- Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.
- Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good. Most systems enforce some level of password complexity requirements.
- Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cybercriminals know this, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.