Beyond the Told

by Dr. David M Robertson

Best Password Practices – Even Against AI

Advertisements

With my security management background and previous field experience (in my previous life), I am sometimes asked about the best practices for password creation and maintenance. Such questions have increased in frequency in recent years due to artificial intelligence and the seemingly endless scams that have flooded the internet in recent years. However, despite the advances in AI, I would argue that many of the fundamental principles of password security remain relevant. Of course, the increasing capabilities of AI-driven attacks necessitate some updated strategies. So, in this article, I’ll share my insights on the best ways to create and manage passwords, including ideal length, character variety, and overall best practices. We’ll also discuss some complementary measures to ensure comprehensive information security and account access.

Password Length: How Many Characters and Why?

One of the most overlooked elements of password creation is the length. The length of a password is critical to its strength. As computational power increases and AI-driven password-cracking techniques become more sophisticated, longer passwords provide a more robust defense against brute-force attacks.

  • Minimum Length: Experts typically recommend a minimum of 12-16 characters for passwords. This length significantly increases the time required for AI algorithms to crack it. Some have even argued for passwords as long as 64 characters, which is now considered a common maximum length.
  • Why Length Matters: The number of possible combinations increases exponentially with each additional character. For instance, a 12-character password consisting of upper and lower case letters, numbers, and special characters offers 94^12 possible combinations, making it infeasible for even the most advanced AI to crack quickly. Moreover, this length deters would-be hackers from wasting their time. Not many want to spend thousands of years (literally) on a hack. They are looking for much easier targets.

Types of Characters to Use and Why

A strong password should typically include a variety of character types to maximize complexity and reduce predictability.

  • Uppercase and Lowercase Letters: Keep in mind that mixing uppercase and lowercase letters increases the number of possible character combinations and makes the password more complex.
  • Numbers: Including numbers further enhances complexity. A password without numbers is more predictable and easier for AI to guess.
  • Special Characters: Special characters like @, #, $, %, &, etc., add another layer of complexity. They are less common in dictionary words and thus harder for AI to predict.

Overall Best Practices for Password Creation

Creating a strong password involves more than just length and complexity. Here are some best practices:

  1. Avoid Common Words and Phrases: AI algorithms are adept at recognizing and predicting common words and phrases. Avoid using easily guessable passwords like “password123” or “Abby@Home1978”.
  2. Use Passphrases: A passphrase is a sequence of random words. Introducing other elements with a passphrase makes the password very strong (e.g., “Correct1Horse@BatteryStaple#”). Passphrases can be easier for you to remember and still highly secure if they are long and unique enough.
  3. Randomness: Use a random password generator to ensure passwords are not based on predictable patterns. Many password managers offer this feature.
  4. Uniqueness: And while this can be a pain, know that each account should have a unique password. That’s because reusing passwords across multiple sites increases the risk of a single breach compromising multiple accounts.

Best Practices for Password Storage

Know that even the strongest passwords are vulnerable if not stored securely.

  1. Password Managers: Use a reputable password manager to store and organize passwords. Password managers can generate and remember complex passwords, reducing the temptation to reuse or simplify passwords.
  2. Secure Notes: For highly sensitive information, use the secure notes feature in password managers.
  3. Two-Factor Authentication (2FA): Enable 2FA wherever possible. This adds an additional layer of security by requiring a second form of verification, such as a text message code or an authentication app.
  4. Regular Updates: Periodically update passwords, especially for critical accounts. Even strong passwords can become compromised over time.

Complimentary Practices for Ensuring Information Security and Account Access

  1. Monitor Accounts Regularly: Keep an eye on your accounts for any suspicious activity. Early detection of unauthorized access can prevent further damage.
  2. Security Questions: Avoid using easily guessable answers for security questions. Treat them like passwords in terms of complexity.
  3. Email Security: Secure your email accounts, as they are often the key to resetting passwords for other accounts. Use strong, unique passwords and 2FA for your email.
  4. Stay Informed: Keep up with the latest security practices and potential threats. Being aware of phishing scams and new hacking techniques can help you stay one step ahead.
  5. Software Updates: Regularly update your software, including your operating system, browsers, and any security tools. Updates often include patches for security vulnerabilities.
  6. Backup Data: Regularly back up important data to secure locations. In the event of a breach or ransomware attack, having backups ensures that you don’t lose critical information.

So, hopefully, this helps. In a lot of ways, the old saying still holds: the best defense is a great offense. Being proactive and following these guidelines can help you create robust passwords that resist being hacked – even against modern AI-driven attacks. Stay vigilant!


Keep learning! Check out my article titled How To Spot And Stop AI-Generated Frauds.

Advertisements