In today’s connected world the management of passwords can be a time consuming chore that is unfortunately a necessary evil. Creating and using strong passwords is a recommended best practice to protect any online account from falling into the wrong hands. With the many data breaches that occurred in 2014 e.g. Target, Home Depot, and Ebay (among others) protecting your online identity remains very important.
In order to assist with managing your passwords and online accounts, I would recommend using a password manager e.g. LastPass, Roboform among others to reduce the number of passwords that you need to remember to only one master password (which should be extremely strong) since it protects your entire online identity.
But how do you create strong passwords before you place them in the password manager? First use a random password generator and then test the strength of the password. How strong should a password be? That depends on what account that password protects, the more sensitive/important the account, the stronger the password should be. Most passwords should take from a few weeks to a few months to crack so that other passwords will be uncovered before yours should your password be stolen along with a large collection of hashed passwords.
Popular and effective password generators are the following:
Update: 6th May 2015:
I have found that the above mentioned password strength tester is now limited to testing passwords of 50 characters (or shorter) in length.
Further advice on generating strong passwords without using a password generator and best practice advice on password management is discussed in the following two short YouTube videos from Sophos:
How to pick a proper password
How to choose a strong password – simple tips for better security
Aside: While I realize that I often mention Sophos blog posts and videos in general, this is simply because I have found their posts or videos very informative yet concise. I try to link to various sources and I do not endorse Sophos’ products or advice over any other source/company.
For Microsoft Active Directory (Domain Joined systems):
For corporate systems/Microsoft Active Directory joined PCs, Microsoft’s updated its Local Administrator Password Solution (LAPS) tool in order to make domain joined systems more secure by randomizing the Local Administrator password used for each system (rather than having them all set to the same values or managed manually by your IT staff).
More information on the tool is available here. In addition, a short deployment guide is available here. Other advantages to this tool are (among others) that encrypted (using AES) passwords are transmitted to the Active Directory rather than in plaintext or hashed formats. This tool will also help to mitigate Pass-the-Hash (PtH) attacks.
Going Further Than A Password
Whenever possible you should also use 2 factor authentication. However with 2 factor authentication you should ensure that the online account that supports this type of authentication has the appropriate means of recovering access to your account should you lose your second factor of authentication e.g. your cell phone.
Apple, Google and WordPress are examples of such accounts that offer recovery codes that you can print or save in a secure location to use to access your account should you lose your second factor of authentication. I find such recovery codes ideal since they offer the extra protection of using a second authentication factor while significantly reducing the possibility of locking yourself out of your account should you lose your cell phone. An excellent article detailing the advantages and disadvantages of 2 factor authentication is this Sophos blog post.
As time progresses we may finally obtain some relief from the constant maintenance of our passwords (namely changing the more frequently used or important passwords more often). This should come in the form of the introduction of new and more widely standardized authentication tokens e.g. the USB FIDO tokens that can be used to log into your Google account.
The announcement earlier this year that Microsoft intends to support such tokens for logging into the forthcoming Windows 10 offers a lot of promise for an easier and more standardized means of using a second factor of authentication. In addition, Windows Hello will add biometric authentication (face recognition and fingerprint identification) to Windows 10 which will ease the logon process by removing the need for a password. Biometrics are also more secure than passwords.
With the wider adoption of such technologies and as they become more developed/refined perhaps within the next 5 years we might be able to finally say goodbye to the dreaded practice/topic of password management.