Using strong passwords is one of the most cost-effective, simple, and reliable methods to protect critical systems from malicious actors. However, over the last few years, the definition of a “strong password” has evolved and even become a subject of debate among cybersecurity experts.
Hackers are now leveraging increasingly advanced algorithms capable of cracking simple passwords in mere seconds. This introduces new layers of complexity that render traditional password standards obsolete. Understanding what constitutes a strong password and equipping your team with the necessary tools to create and protect these passwords is more critical than ever. Here’s what you need to know.
The evolution of password length
Gone are the days when a jumble of uppercase and lowercase letters, numbers, and special characters were considered the gold standard for password security. While well-intentioned, this approach often led to poor password hygiene; because passwords were complex to remember, users often resorted to writing them down or reusing passwords across multiple accounts.
Recent guidelines, particularly from the National Institute of Standards and Technology (NIST), have shifted the focus from complexity to length. Each additional character exponentially increases the strength of the password (or passphrase), while remaining easy to remember and type. Passphrases consist of multiple random words strung together, creating a longer and more secure password. For example, a passphrase like “correct-horse-battery-staple” is memorable and difficult to crack due to its length (28 characters) and unpredictability.
While requiring different character classes (uppercase letters, lowercase letters, numbers, symbols, etc.) technically increases the security of the password, the effect isn’t nearly as strong as simply using a longer (and more memorable) passphrase.
The debate on password rotation
Password rotation, or changing passwords regularly, has been a polarizing topic recently, with two distinct camps emerging:
- The “change passwords frequently” camp: Some organizations recommend frequent password changes to limit the window of opportunity for attackers to utilize stolen credentials.
- The “keep passwords static” camp: Organizations like NIST recommend changing passwords only if there’s evidence of a compromise, and recommend against changing them on a regular timeline. Their reasoning? Frequent changes can lead to weaker passwords because users tend to make minor, predictable alterations instead of creating new passwords (i.e., changing their password from “Spring2024!” to “Summer2024!” or simply incrementing a number at the end.)
I tend to favor less frequent password changes with a similar line of reasoning to NIST. A University of North Carolina at Chapel Hill study found that when users are required by company policy to change passwords frequently, they tend to create passwords that follow predictable patterns. As Lorrie Cranor, Chief Technologist at the Federal Trade Commission, summarized, “Of the 17% of accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses.”
In another study from Carnegie Mellon, researchers found that students, faculty, and staff who reported annoyance with a password change policy ended up choosing weaker passwords than those who did not report annoyance.
Additional best practices for password security
1. Implement a password manager
While creating one strong password and using it across your systems and applications might be tempting, this strategy can lead to significant security issues. Consider this scenario: you use the same username and strong password to log into three different websites. While the first two websites remain unaffected, the third is the victim of a security breach. Hackers now have your password information that they can use across the other two websites you’ve registered with.
This type of attack, known as “credential stuffing,” is one of the most common ways that accounts are compromised. Password managers (e.g., 1Password, BitWarden, etc.) are indispensable for mitigating this risk among real estate professionals who manage multiple accounts and handle sensitive client information. These applications act as a secure “vault,” generating, storing, and managing complex, unique passwords for multiple accounts. Instead of memorizing dozens of intricate passwords, users need only one robust master password to access their vault.
Because you’re putting all your password eggs in one basket so to speak, it’s crucial to select a reputable password management vendor. A thorough vetting process should include examining the provider’s encryption methods, security protocols, and track record. For example, you’ll want to check that the vendor doesn’t have a history of security breaches.
2. Require multi-factor authentication (MFA) for every application
Microsoft reports that over 99.9% of account compromise attacks can be prevented with multi-factor authentication (MFA). That’s a staggering statistic—and one that shouldn’t be undervalued, considering how simple MFA is to set up and how prevalent it is across software vendors.
If you’re unfamiliar with MFA, it’s a simple tactic that significantly enhances security by requiring users to provide multiple forms of verification before accessing a system. For example, when users log into Qualia (and have MFA enabled), they must also submit a code from a trusted device, such as their cell phone. This code may be delivered as an SMS message or retrieved from an authenticator app. This additional step can thwart unauthorized access even if a malicious actor gains access to the user’s password.
3. Keep password education at the forefront
Ultimately, the key to robust password security lies in education. Regular security awareness training should cover best practices for creating strong passwords, the benefits of password managers, and the importance of enabling MFA. As the digital landscape continues to evolve, so must our approach to password security, and employees must be kept in the loop.
Don’t undervalue the importance of a strong password
As we continue to navigate evolving cybersecurity threat vectors, one thing is clear: the concept of a strong password is more important than ever. After all, our digital security is only as strong as our weakest password. So, the next time you’re prompted to create a new password, remember: you’re not just typing in a few characters—you’re building a fortress around your digital life. Make it count.
To learn more about security best practices, visit our Trust Center.
