Password management best practices

Passwords are the primary way by which data is kept safe from hackers and restricts access without the authorized credentials. However, this layer of protection can easily be circumvented if passwords are not created with security in mind. Password policies and password management practices can be put in place at home and in organizations to ensure systems are protected from weak or improperly shared passwords.

Using weak passwords is much like leaving the door open to your car or house—it's just not safe.
Microsoft Security

Two-factor authentication provides another layer of security. While we recommend using two-factor authentication whenever possible, this article focuses primarily on password management. Stay tuned in the coming weeks for our article on two- or multi-factor authentication.

How do passwords get cracked?

Knowing the why behind the rules will aid in both preventing cracked passwords and creating strong passwords. There are many methods that threat actors use to break into your accounts and access your sensitive information.

Note that most sites will not store your password directly. Instead, they store a password hash—an encoded version of your password. The encoding is designed to work only one way: it cannot be run in reverse to get your password back from the hash. In these cases, threat actors can use the following methods:

Using brute force — trial and error to break passwords: an attacker submits many passwords and phrases until one works.
Using rainbow tables — precomputed tables for the purpose of cracking password hashes. These are used to match a known hash to a password.

The shorter the password, the easier it is to crack via brute force, and the more likely it will appear in a rainbow table.

What's a good password?

The Canadian Centre for Cyber Security (Cyber Centre) recommends the use of passphrases as they are longer, but easier to remember than a random, mixed-character password. A passphrase is a phrase consisting of a sequence of words with or without spaces. The Cyber Centre's recommended length is four words and 15 characters. One way to generate a passphrase is with the “diceware” method where a set of five dice are used to generate a passphrase — although note a diceware passphrase should be at least six words long.

Where passphrases cannot be used (usually due to length restrictions) the Cyber Centre recommends a password with a minimum of 12 characters that is as complex as possible. A password made up of lowercase and uppercase letters, as well as numbers and special characters, is more complex than a password of only lowercase letters.

Avoid weak passwords: those that are too short, simple, reused, common or personal to you (e.g. birthdate, a loved one's or pet's name)

Should I share my password?

NO. Every individual needing to access a system should have their own account and password. This ensures system access remains auditable and reduces the risk of inadvertently sharing passwords with a threat actor. Most systems allow delegation of privileges to other users (e.g. to monitor or manage your email) without needing to share your password — ask your IT department or service provider for assistance setting this up.

Should I reuse a password?

NO. Once an attacker obtains your password (through whatever means), they may attempt to use that same password to access your other accounts.

How often should I change my passwords?

Only change passwords when you might have been compromised. Gone are the days of changing your password on a schedule: the National Institute of Standards and Technology (NIST) doesn't recommended that users change passwords frequently as this actually leads to behavior that may result in weaker passwords over time!

What about password managers?

Keeping track of unique, complex passwords for every account can be quite challenging. Memorizing all these different passwords is virtually impossible. Insecure password storage such as Excel sheets, Word or text files, sticky notes on your monitor and a notebook on your desk are must be avoided. Password managers, on the other hand, if selected and used appropriately, can help you securely create, store, and remember your passwords.

A password manager is an encrypted vault that stores usernames, passwords and other sensitive details for different accounts. There are two main types of password managers: browser-based and stand-alone. Each password management solution has different features, design, and vulnerabilities. A good fit for one organization may not be for another.

Although convenient, password managers do have risks to be considered — the greatest being the compromise of all your accounts at once. Evaluate the value of the accounts you store in the password manager. If you choose to use a password manager for sensitive accounts, be aware that your level of risk is increased dramatically. Your master password—ideally a master passphrase—should be among your strongest passwords: it effectively unlocks everything. Remembering this phrase and keeping it safe is vital to the security of your data. If you need to write the passphrase down, be sure to keep it in a safe place that is separate from where the data is stored. Avoid sharing your master password.

If your master password or password manager is compromised or hacked: immediately change all your passwords, starting with the master password.