IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What makes a password secure?

IT security is constantly evolving to counter threats, but the password remains a key part of our security arsenal

Hands typing on a laptop with padlock and network graphic superimposed

The password has been a vital tool for computers for decades. In the mid-‘60s Fernando Corbato, an academic at the Massachusetts Institute for Technology (MIT), devised a system that allowed multiple people to access a computer at the same time. Corbato gave each user a password that kept their files hidden away from others so their activities weren’t interrupted.

Fast-forward to 2021 and Corbato’s humble solution is the key to unlocking our digital lives – from bank accounts and emails to the apps and cloud services we use daily for work. People are logging in to more devices than ever, and with the post-COVID shift to hybrid work the number of passwords businesses and employees are juggling is multiplying.

However, with this password proliferation comes an increased threat of cyber attacks and data breaches. The recent RockYou2021 leak saw a 100GB text file emerge compiling a staggering  8.4 billion compromised passwords.  Websites like Have I Been Pwned? and BreachAlarm will scan for new data leaks and tell you if your password has been stolen.

Hackers utilise a variety of tactics to snare valuable credentials. They can be acquired on the dark web, where cyber criminals make a business out of exchanging leaked data for money. Brute force attacks see automated software applications running through different character combinations in a bid to break in.

Phishing, meanwhile, is when social engineering is used to pressure and intimidate would-be victims into giving over personal information. For example, individuals may receive a scam email about needing to change their online banking password – there’ll then be directed to a fake website that resembles a bank login page with the hope they’ll give over details.

With so many cyber threats to contend with, ensuring that passwords are secure and effective is critical. In fact, the recent Incident Response Analyst Report 2021 found that a robust password policy reduces the likelihood of being attacked by 60%.

Creating effective passwords

But what exactly makes a password secure? They are a key tool in our security arsenal and rely on individuals to create and use them every day. However, not all are created equal. If they are too easy to guess, they’ll be easy to break – and if they’re being reused then multiple accounts are at risk of being compromised.

A good password shouldn’t be obvious or use common keyboard runs like ‘qwerty’ or sequential numbers like ‘123456’. Personal information that’s easy to guess, like a name or date of birth, should be avoided, too. Password length is crucial – anything under 12 characters is at risk of being cracked, so aim for 15 characters or more. The longer it is, the harder it is for a brute force attack to be successful.

Longstanding password guidelines suggest mixing up letters, numbers and symbols to help add an extra layer of complexity to your password. Frequently, these will be a requirement when you set a new password. It’s best to steer away from common character substitutions. For example, Synology becoming Syn010gy is unlikely to give you any significant benefit as these changes from letters to numbers are easy to guess. There are several random password generators online that can be used to come up with a random string of characters.

However, more recent thinking has been leaning towards passphrases as a more secure and user-friendly solution. The National Cyber Security Centre (NCSC) recommends the use of three random, unconnected words for a password. These phrases are easier to remember and to type, and the use of multiple words tends to generate longer, and therefore more secure, passwords.

Ironically, enforcing complexity requirements has been found to make passwords weaker in some cases, as users tend to struggle to remember random strings of characters and so are likely to fall back on some simple, predictable patterns (such as the aforementioned substitutions). Choosing three random words, it is believed, will increase the overall diversity of passwords in the ecosystem, reducing the likelihood of different users ending up with the same passwords and thus creating a tougher environment for attackers to operate in.

Setting up two-factor authentication (2FA), be it biometric or a number/character token, will give another layer of protection. However, using SMS for 2FA is best avoided as these can easily be intercepted. Instead, apps like Authy, Google Authenticator or Microsoft Authenticator generate PINs that can be used to complete the login, although not all apps support these services.

A password management solution

Whether you’re an individual, a small business or large corporation, keeping up to speed with password security is vital. For businesses, it’s particularly important to ensure that staff are well educated and supported in this area so sensitive data is protected. Make sure that all vendor-supplied passwords on devices are changed before they make their way to staff, and give individual logins to apps and services to all users who need them, avoiding password sharing.

One solution to help with password security is Synology’s C2 Password management system. Here you can store, sync and secure passwords and personal information – plus, thanks to unlimited device syncing you can access credentials from anywhere using an online portal or browser extension. C2 Password can also be used to generate complex combinations of letters, numbers and symbols, and keep all of them stored together in the same place.

Sensitive data is safeguarded through end-to-end encryption, too. Data goes through AES 256 encryption before it leaves a device, with decryption carried out only at the destination. The key to encrypt and decrypt is stored only on the individual device, not Synology C2 servers, to give an extra layer of protection. What’s more, C2 Password is free to individuals and businesses.

Juggling a selection of unique and uncrackable passwords might seem like hard work, but with a solid understanding of what makes them secure and the right tools in place to organise them, you’ll find peace of mind and a seamless, stress-free online experience.

Discover more about Synology C2 Password and how it can safeguard your credentials

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Apple, Google, Microsoft expand their support for password-less sign-ins
cyber security

Apple, Google, Microsoft expand their support for password-less sign-ins

6 May 2022
NordPass teams up with insurance provider Cowbell Cyber to improve security awareness
cyber security

NordPass teams up with insurance provider Cowbell Cyber to improve security awareness

18 Feb 2022
NCA donates 225 million passwords to Have I Been Pwned
cyber security

NCA donates 225 million passwords to Have I Been Pwned

21 Dec 2021
Top 200 most common passwords of 2021 revealed
cyber security

Top 200 most common passwords of 2021 revealed

10 Dec 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022