Password Best Practices

Last updated on April 29, 2024

Good Security Practice:

Government employees should not use their internal passwords for external services.

What does this statement mean?

You should not use your IDIR password for anything other than logging on to your government account, i.e. do not use it for a Hotmail or Yahoo account, a PIN for a bank machine, your Amazon account, etc.

Why?

There is a possibility that unauthorized people could use your unsecured password to access secure accounts associated with you such as your IDIR account. By using different passwords for unsecured accounts and your secure IDIR account you close this security exposure. There are two ways that unsecured passwords could be exposed:

  • Compromise of e-tailers databases happens too often. If the database containing your password becomes exposed, your IDIR account may be vulnerable to attack.
  • When logging into a commercial service, your password may be sent in clear text (i.e. not encrypted) over the Internet. This makes it subject to capture by others as it travels over the Internet.

Are there any methods available to ensure I have created a strong password?

Employees are asked to create and manage lengthy and complex passwords. This is necessary because encryption algorithms are only as strong as the password used to encrypt and to open the file. Short length passwords (even complex passwords of 8 characters in length) are relatively easy to break as the attack technology for password guessing has dramatically improved recently. Large complex passwords may seem daunting, but they can be quite easy to create, and more importantly, easily remembered without the need to write them down. Although the method offered below will not create a password as strong as one using truly random characters, it will help you create and use lengthy and complex passwords when needed.

Step 1.  Think about a phrase that you can easily remember (titles, famous quote or something that means something to you). For example:

  • My one most favourite pet ‘Sam’ is so very fun he equals three hundred.

Step 2. Take the first letter from each word, this is easy to do while you say it to yourself:

  • Momfpsisvfheth

Step 3.  Substitute capitals, numbers and symbols for some of the words:

  • m1mfpSi%vFh=3h  (capitalize the important words like Sam and Fun, substitute % for small s)

From a simple sentence, you now have a 14 digit password that cannot be recognized by any dictionary attack and by adding symbols and numbers, it is nearly uncrackable (see chart below).

Some Interesting Facts:

How much time is needed to crack a password by brute-force?

If the password cannot be guessed and is not found in a dictionary, the cracker has to try a brute-force attack. When brute-forcing, the time to crack the password depends on the amount of possible passwords that the cracker has to try. The amount of possible passwords increases with password length and with increasing diversity of characters being used (complexity).

Let’s take the scenario of a cracker trying 15 million passwords per second. This is currently the maximum speed being claimed by password cracker vendors. You need a pretty fast computer to achieve this. The following table shows the computed time to crack a password with 15 million tries per second.

Notice the incredible increase in time to try all possible combinations when password length and complexity increase

 

Time to brute force password
Length All Numbers All Lowercase Combination of uppercase and lowercase Combination of numbers, uppercase, and lowercase characters Combination of numbers, uppercase, lowercase and special characters
4 instantly instantly instantly instantly instantly
5 instantly instantly instantly instantly instantly
6 instantly instantly instantly instantly instantly
7 instantly instantly instantly instantly instantly
8 instantly instantly instantly instantly 1 second
9 instantly instantly 4 seconds 21 seconds 1 minute
10 instantly instantly 4 minutes 22 minutes 1 hour
11 instantly 6 seconds 3 hours 22 hours 4 days
12 instantly 2 minutes 7 days 2 months 8 months
13 instantly 1 hour 12 months 10 years 47 years
14 instantly 1 day 52 years 608 years 3000 years

* Data taken from https://archerpoint.com/securing-your-accounts-with-strong-passwords-and-2fa/ 

What we see is that:

* any password shorter than 8 characters can be cracked instantly

* any password 10 characters or less can be cracked within an hour.

To be on the safe side, we recommend a minimum password length of at least 14 characters.

Note: the crack times mentioned in the table are needed to try all the possible passwords. There is a great chance that the cracker only needs 50% of this time. Also bear in mind that a cracker can always have a lucky shot at his first try and crack the password immediately. The chance is very small, but theoretically it is possible.

Some Other Resources:

Wikipedia:

  1. Password Strength
  2. Password Cracking