Create and maintain strong passwords

Updated10 January 2021

Table of Contents

...Loading Table of Contents...

    1. Introduction

    Passwords are the key to securing your data and identity. Therefore, attackers will use various tricks when trying to figure them out. However, we can defend against most of these tricks by applying a few important tactics and solutions, such as multi-factor authentication and secure password managers.

    Do Don't
    Choose complex and random passwords Choose simple passwords that are easy to guess
    Choose unique passwords for each account Use the same or similar passwords for multiple accounts
    Use a password manager Leave notes with passwords around your desk
    Avoid logging in on untrusted devices Use public devices to log in and not change your passwords after
    Enable two-factor authentication Have a single layer of protection (e.g. password-only)
    Keep passwords to yourself Share passwords with others

    Threats:

    The following are some of the most common ways attackers use to crack your passwords.

    1. Adversaries can guess your password:
      • Using your personal information such as important dates, names, famous quotes, songs or authors you like
      • Using a computer programme to try all possible combinations to unlock your passwords
    2. Adversaries can look for:
      • Where your passwords are written down
      • What you’re typing as passwords
      • Passwords that have already been breached and are available online
    3. Adversaries can trick you into:
      • Installing a malware computer programme to record your password
      • Making you type your password into a fake login page through phishing
      • Providing your passwords or other information by pretending (social engineering) to be a support person or someone you know

    2. Basic Principles & Tactics

    A password should be difficult to guess

    Make it long: The longer a password is, the less likely that someone, or something (e.g. a computer programme), will guess it easily. Instead of using one or two words, some people use passphrases that contain several words and numbers.

    Make it complex: In addition to length, the complexity of a password also helps prevent adversaries from guessing the right combination of characters. Your passwords should include upper case letters, lower case letters, numbers and symbols.

    Avoid using information about you or people around you: Your password should not be related to you, or people and organisations around you. Avoid choosing a word or phrase based on information such as your name, organisation, date of birth, important anniversary (such as 10th December - the Human Rights Day), telephone number, child's name, pet's name or anything else a person could learn by researching you and people around you.

    Passwords should be difficult to find

    Keep it safe: Carefully plan how you keep your passwords. Remembering a long, unique password can be a challenge. To help you remember the password, you may write it down on a note. However, it’s important to decide where you will keep the note, and for how long, as a note could create more risks. For instance, it is unsafe to write down your password and keep it, for example, where someone can have a clear view, in your wallet where someone can find it, or in the trash bin outside your office without first destroying it.

    Storing your passwords in a regular, unencrypted document is not advised. As an alternative, you should choose a strong password and record it in a secure password manager, such as KeePassXC (Read more on our guide). Password managers are specifically designed for this purpose. If you would like to learn how to create a long, complex password that is still memorable, have a look at the "Remembering Secure Passwords" section below. As a reminder, the browser you use is NOT a safe place to store your passwords.

    Be mindful of your surroundings: Adversaries can monitor and record you entering a password. If you’re in a public space and type your password, be mindful of whether you can be seen or recorded. Check around to see if anyone is watching your keyboard or phone while you type your passwords. You can also attach anti-glare or privacy protectors to your screen to avoid unwanted views.

    Case study
    An activist's mobile phone was confiscated under a false charge of sedition. Her mobile device was locked with a password and she refused to provide it. However, prosecutors managed to unlock her phone and access all data. How did they manage it? Prosecutors studied her daily routines and noticed there is a CCTV in the lift where she lives. They were able to obtain the recorded footage where she typed her passwords as she opened her phone.

    Make it unique: Avoid re-using the same password for more than one account. Otherwise, anyone who learns that password may also gain access to your other accounts or devices. For similar reasons, it is a bad idea to rotate passwords by swapping them around between different accounts.

    Reusing the same password is particularly risky, as more and more services are being compromised and having their password databases exposed online. Take a look at security researcher Troy Hunt's "Have I Been Pwned" for specific examples and to see if any of your passwords have been leaked. Keep in mind, many account breaches go undiscovered, so you should still upgrade your weak passwords even if none of your accounts show up here.

    Change it occasionally: Some researchers concluded that frequent password change requirements are “a bad security idea” and don't necessarily improve security. The researchers found when people are required to change passwords frequently, they tend to make only small changes from the old password, instead of coming up with an entirely new password. Read more about the research here. This is why we recommend changing passwords occasionally, instead of regularly changing passwords.

    It is advised to change your online password each half a year and your offline password each year, because you may not know of the potential breach. However, you must change your password when there is a reason to believe it may be compromised. These instances include:

    • Evidence of breaches to your account, devices or even to your colleagues and people around you. If the breach has already happened, it is crucial to control and minimise the damages by warning people around you.
    • Receiving a warning that there was an attempt to log in from an unauthorised device or location. This is a warning that service providers will send if a suspicious log-in attempt was made.
    • You entered your passwords on an untrusted device that may potentially have malware or key-loggers installed.
    • You are concerned that someone has watched you type your passwords and may try to log into your account.
    • When a breach to the online services you've signed up is reported.

    Passwords should be treated as secrets

    Avoid sharing your passwords: Sharing passwords is generally not a good practice. If you must share a password with a friend, family member or colleague, you should first change it to something temporary and share that one, then change it again when they are done using it.

    There are often alternatives to sharing a password, such as creating a separate account for each individual who needs access to services or devices.

    Be vigilant: Adversaries may deploy various tricks to make you give away your passwords. You must remain vigilant to spot anything suspicious and be able to verify whether this is false. If you receive a request to change or share your passwords, make sure you verify that it is a genuine request.

    3. Technical and behavioural solutions

    Here are some of the solutions that we suggest that will help you follow the tactics we suggested above.

    Password manager

    You can address some of the issues highlighted above by using a password manager. It will help you create and manage multiple accounts with unique, long, complex randomly generated passwords. If you have not used a password manager before, we suggest you make a gradual transition beginning with managing only a few accounts. It is also a good idea to make the transition effort as a team to help each other in the process.

    Selecting the right password manager is also important. We recommend KeePassXC (Read more on our guide), as it's free to use, has been verified as secure by community experts and continues to be updated. KeePassXC stores passwords in an offline database, which means you have control over where the data is stored and how it is managed.

    For those who are considering an online password manager, it is important you understand the risks invovled and take appropriate measures. This would include avoid storing highly-sensitive accounts in the online database and protecting access to online database with 2-factor authentication. We recommend Bitwarden Open Source Password Manager.

    Random password generator:

    Once you become familiar with your password manager, It is time to change all your passwords to unique, complex randomly generated passwords. From the moment you start using a password manager, you will not have to memorise your passwords as your password manager will do this job for you. KeePassXC (Read more on our guide), and most other password managers, have a random generator feature to help you create passwords. Do not forget to make a backup copy of your password database file so you will never lose access to your accounts!

    Remembering Secure Passwords

    Ultimately, there are some passwords you must memorise, including the master password to your password manager. There are strategies that can help you create passwords which are easy to remember but extremely difficult to guess, even for a clever attacker with a powerful 'password cracking' software.

    Please note, some of these strategies are common and attackers may also be aware of them. For instance: “starting each words with upper case letters”; “replacing a character with a similar symbol" (e.g. replacing "a" with "@" etc.); “putting an exclamation mark at the end”; or "using common phrases, such as famous quotations, song lyrics and poems."

    One technique we recommend to create a secure and memorable passphrase is called "diceware". First, you need a list of numbered words and a dice. Second, you randomly select at least six words from the list by rolling the dice and picking the word with the corresponding number. Those words will be your password. Next, you create a mental image using the words, in order, which will help you remember the combination of the words. Electronic Frontier Foundation provides a detailed guide on how to use the diceware.

    Two-factor authentication

    Having multiple barriers is always more secure and, therefore, always recommended. If the first layer of protection is breached, you can rely on the second to protect your digital assets. Many online services, including banks, email and social media, provide two-factor authentication (2FA) as a security option. Check which services offer 2FA.

    Your account settings’ privacy or security section will help you enable two-factor authentication, so when you log in (especially from a new device or location) you will need to provide your username and password along with the 2FA, such as a generated code or a biometric.

    Receiving the 2FA code over SMS is the least secure option as it relies on trusting the mobile phone company. Receiving the code over email is be safer. The safest is generating the code on your device with an app or program, assuming the device is secure, or using a hardware authentication device.

    Adding the additional authentication factors may seem inconvenient, but the extra security benefits outweigh the inconvenience. It is crucial that you securely protect all of your authentication factors!

    2FA device

    Using a hardware device (also called security tocken or dongle) as a second factor of authentication may be the most secure option. There are many devices to choose from. Some of the most popular are Yubikey or Nitrokey.

    (also called security tocken or dongle) as a second factor of authentication may be the most secure option. There are many devices to choose from. Some of the most popular are Yubikey or Nitrokey.

    2FA mobile applications

    If you do not have a dedicated device to generate codes, you can also use a mobile phone as a two-factor authenticator. In this case, it’s important that you keep your mobile phone secure and clean from spyware.

    If a service supports both SMS and app-based two-factor authentication codes, you should opt for the latter. SMS text messages are not encrypted and attackers have successfully intercepted these one-time codes on their way to a target's phone.

    We recommend using the Aegis app on Android or Raivo OTP app on iOS/iPhone. Once these apps are configured to work with your account, they do not require an internet connection to generate 2FA codes.

    Other important notes on 2FA

    Keep backup codes safe, but in seperation: Most online services will give you a list of backup codes when you first enable two-factor authentication for a given account. These backup codes are unique in that they never expire. It is important to keep the backup codes safe as they are your way back into your account if you lose access to whatever device normally generates your one-time codes. As a reminder, anyone who has your password can access your account using any one of the codes.

    Therefore, a secure password manager, such as KeePassXC, is an excellent place to store this type of information. However it is important to keep in mind that seperation is also an important strategy. You can create a separate database for your backup codes, from other passwords, to have a clear seperation.

    Keep your 2FA on: Some online services may present you with an option to disable two-factor authentication for a period of time once you’re signed in. This may seem like a convenient solution to reduce the sign in steps. However, you must consider potential threats and security gaps when disabling two-factor authentication.

    4. Frequently Asked Questions

    Q: Is it safe to use biometrics for passwords or two-factor authentication?

    A: Biometrics are a common replacement to passwords. However, they are generally a less secure way of locking your device and account. For example, you can not change your biometric information whenever you like. You are also required to leave biometric information, such as fingerprints, in airports, goverment offices, etc. which creates a potential risk. When you are physically restrained by adversaries, unlocking devices with biometrics is even easier than passwords.

    Within the spectrum of different types of locking you can choose, passphrases/passwords are the most secure solution while biometrics remain one of the weakest options.

    Strong > Weak
    Passphrases or Passwords long PIN short PIN or shape or biometric

    Q: How do I securely set up recovery questions?

    A: Many web services ask for "security questions" when you create your account. Examples might include: your favourite fruit, where you went to primary school, the name of a street you lived on as a child, or your mother's maiden name. Some services use these questions to verify your identity if they suspect someone else is trying to access the account. In many cases, the answers to your security questions can also be used to change your password in case you forget it.

    The answers to those questions can be easy to find, so it is often a good idea to provide unrelated answers to these questions. You should keep track of these unrelated responses (e.g. in a password manager).

    5. Further reading