In the first part of this series, we decried the overreliance on passwords for authentication. In the second, we discussed the full range of means at one’s disposal. In the third, we described the advantages of using multiple means in conjunction with one another. In this fourth and final part, we detail how, when no other option is presented, one can use single-factor, password-based authentication (PBA) at its most securely.
Before we cover this, however, note that there is a trend towards the introduction of multi-factor authentication (MFA) into popular software and services—cloud storage services Dropbox and Box both offer it, as does Microsoft’s Office 365 suite. If you find that your service of choice still only offers PBA, consider contacting the developers to ask if they have any plans to introduce MFA. They may already do, or the pressure of multiple customers requesting it may urge them to consider it. If they say no, and the service is used for sensitive business activity, consider the implications of their approach to security on the trustworthiness of the entire suite. Of course, if you are using free software, you could even look into implementing MFA yourself.
But alas, you are still stuck with only PBA for the time being. Firstly, consider allowing the use of password managers, or asking your employer about them if that decision is above your pay grade. These programs allow you to securely store any number of passwords for different sites and services, protected behind one single password (and, often, with the option of MFA), drastically reducing the cognitive load on you to remember them all. Many also come with tools to allow you generate long, complex, random passwords automatically.
However, you will still need to remember some passwords that cannot be stored—those used to log into the machine with your password manager on, for example, or to open the password database. Here, your approach will depend on the constraints put on you by policy and technology alike. We will start with the ideal situation, and then work our way down.
Ideally, your password will have no length or complexity requirements. If so, you can use a passphrase, or a string of random words separated by spaces (e.g. ‘correct horse battery staple’). You should use at least 5 words, although more is better, and they must be random—consider using something like the Diceware method to generate them. These are very secure, whilst also being very memorable.
You may want to create a generic set of characters to append to the end (e.g. ‘correct horse battery staple1A$’). If some software insists you add certain characters, you can simply add these to the end of your passphrase and satisfy it.
In a worst-case scenario, where your service restricts the length of your password and you are unable to seek an alternative, ensure that your password is as long as possible (at least 8 characters), not a piece of easily-discoverable information, not a common password (e.g. ‘password’) and not reused across multiple services.
In this series, we have covered the modern approach to authentication—use passwords only when absolutely required and always combine authentication methods where possible. Hopefully, by following this advice, we will have helped you to keep yourself and your business safe and secure.