For a long time, we’ve been trained to use complex passwords, for example including capital letters, numbers and special characters. While this may have been the solution to account security in the past, I’m going to point out some faults in continuing this and a method to help move your service forward into a more secure future.

Password policies

To ensure good password management, companies are forcing users to renew their password every 3 months or so. This usually results in people reusing older iterations of their passwords or using the month/year in their passwords – i.e. password management practices that are not very secure!

Another option is to use a password manager. This will make sure that your passwords are better secured and not that easily accessible. But it’s just another way to write the password down, a current way to game the system and make it easier to access your accounts. The password manager still needs a master password – remember, a hacker only needs to break the weakest link in the chain to get access to everything.

A passphrase instead?

A better option might be to use a password with many characters (be it letters, numbers or special characters). With longer passwords, even by stapling words after each other to create a sentence, you create a difficult password to decrypt but is easier to remember. This removes the need to write it down somewhere.

In fact, this idea isn’t new. NIST suggested an easy to remember long passphrase rather than hard to remember complex password way back in 2017! Have a look at the XKCD comic strip below – it helps to remove all the math jargon and make it easy to understand why a longer passphrase is better.

Comic strip aboutpassphrases

Source: xkcd.com/936

What about Time-based One-time Passwords (TOTP)?

While it is better to use long passphrases than complex passwords, there are additional ways to enhance the security of accounts. One of the most common methods is by using a Time-based One-time Password (TOTP). TOTP solutions include physical tokens that rotate six-digit numbers, or as is more popular now, codes sent via SMS or to an authenticator app on your phone.

Utilising TOTP will give your accounts a second factor authentication method (2FA). Anyone trying to get access your account not only needs to know your username and password, but also needs to input a time-limited code. The code is issued uniquely to your device which, in practice, means that the person that tries to get unauthorised access to the account either needs to be in possession of the device or get the account owner to give it to them.

More and more services are providing TOTP with applications that support the generation of the time-based code. If you use your Google, Microsoft or Apple account to sign onto more and more other services (known as BYOI, bring your own identity), securing this identity will become significantly more important.

Google Authenticator

Google Authenticator. Source: medium.com/@richb_

One of the most downloaded/utilised TOTP authenticator applications is the Google Authenticator. The setup is usually done through a QR code which the user scans on their phone to connect the account ‘secret’ to the device. When this is set up, the application starts generating random 6-digit codes based on the secret and the current timestamp (time of day). The secret is saved on the device remembering the timestamp, which eliminates the need for the device to have internet access to be able to generate the time-based password. Microsoft’s Authenticator and Apple’s two factor authenticators are similar.

In conclusion, an easy to remember longer passphrase is more secure than a shorter complex password. Combining 2FA in the form of TOTP will provide another much-needed layer of security.

Ubisecure Customer IAM solutions support TOTP. Reach out to us to learn more about TOTP and how your organisation can improve its password security posture.