Password Best Practices | CompTIA Tech+ FC0-U71 | 6.3

In this post, we’ll be discussing password best practices.  Passwords are the frontline of defense in protecting personal and organizational data.  Weak or compromised passwords are one of the most common ways cybercriminals gain unauthorized access to systems, so understanding how to manage and create strong passwords is critical.

We’ll break down several best practices you need to know, including password length, complexity, expiration, password reuse across sites, password managers, and more.

Password Length

First, let’s talk about password length.

Password length is one of the most important factors in password security.  The longer a password, the harder it is for an attacker to crack it using brute force attacks, where all possible combinations of characters are tested.

Best practice recommendations for password length are:

• At least 12 characters for general use, but many security experts recommend even longer passwords (15 – 20 characters) for critical accounts like administrative or financial systems.
• A longer password creates exponentially more combinations, making brute force attacks far less effective.

For example, a 6-character password may take minutes to crack, but a 12-character password could take centuries using the same techniques.  So, the longer the better when it comes to security.

Password Complexity

Next is password complexity.

Password complexity involves using a mix of character types to make the password harder to guess.  A complex password should include:

• Uppercase letters (A – Z)
• Lowercase letters (a – z)
• Numbers (0 – 9)
• Special characters like !, @, #, *

For example, a password like P@ssw0rd123! Is more secure than simply using “password123”.

However, complexity alone isn’t enough if the password is short.  A strong password combines both length and complexity.  Avoid using easily guessed patterns such as Password123! Or Admin2024!

Password History & Reuse

Now, let’s talk about password history and password reuse.

Password history refers to a system policy that prevents users from reusing old passwords within a certain number of changes.  For example, if a system has a history requirement of 5, users won’t be able to reuse their last 5 passwords.

Why is this important?

• It prevents users from changing their passwords to something weak or previously compromised.
• It encourages users to think of a new, unique password each time.

Password reuse is when someone uses the same password across multiple accounts or websites.  This is a significant security risk:

• If one website is compromised, attackers can use the same password to access other accounts, especially for email or financial systems.

A key best practice is never reuse passwords across different sites.  Each account should have a unique password to ensure that a breach of one account doesn’t compromise others.

Password Expiration

Next up is password expiration.

Password expiration is a policy that forces users to change their passwords after a certain period, typically every 60 to 90 days.  This practice helps:

• Reduce the chance of a password being used indefinitely, especially if it has been compromised but remains undetected.
• Ensure that even if a password leaks or is stolen, it will only be useful for a limited time.

However, modern research has shown that forcing frequent password changes can lead to poor practices, such as users creating predictable passwords or just incrementing numbers at the end of their passwords.  To balance this, organizations might now require password changes less frequently but enforce stronger complexity and longer length.

Password Managers

Let’s move on to password manager.

A password manager is a software application that helps users generate, store, and manage complex passwords for different accounts.  Here are the key advantages:

• Secure Storage:  Password managers store all of your passwords in an encrypted vault.  You only need to remember one strong master password to access the vault.
• Unique Passwords:  They allow you to create unique, strong passwords for every account, ensuring you don’t reuse passwords across multiple websites.
• Auto-Fill Features:  Password managers often include auto-fill functionality, which automatically fills in login information, reducing the risk of mistyping passwords or falling for phishing attacks.

Popular password managers include tools like LastPass, 1Password, and Bitwarden.  Using a password manager reduces the likelihood of weak or reused passwords across different accounts.

Password Privacy

Next, let’s talk about password privacy.

The first rule of password privacy is:  never share your password with anyone.  Even within trusted environments, sharing passwords can compromise security.

Here are a few tips for maintaining password privacy:

• Never Write Down Your Password:  Whether on sticky notes or in an unencrypted digital file, writing down passwords can easily lead to unauthorized access.
• Beware of Phishing:  Phishing attacks are a common method used to steal passwords.  Always verify the authenticity of any website or email requesting your credentials.
• Use Two-Factor Authentication (2FA):  Where possible, use 2FA to add an additional layer of security.  Even if someone obtains your password, 2FA requires a second form of authentication, like a code sent to your phone, to gain access.

Maintaining password privacy is about being vigilant and cautious with where and how you use your passwords.

Password Reset Process

Now let’s discuss the password reset process.

When a user forgets their password, they typically need to go through a password reset process.  Best practices for resetting passwords include:

• Verify the User’s Identity:  Before resetting a password, the system should ensure the person requesting the reset is the account owner.  This is usually done by sending a verification code to an email or phone number associated with the account.
• Temporary Links or Codes:  Password reset links should expire after a short period, usually within an hour or less, to prevent unauthorized use.
• Prompt for a Strong Password:  When resetting, ensure that users are required to choose a password that meets length and complexity requirements.
• Do Not use the Same Password:  It’s essential that users create a new, unique password instead of reusing a previous one.

Secure password reset processes are critical to prevent unauthorized individuals from gaining access to an account.

Changing Default Usernames & Passwords

Next, let’s talk about changing default usernames and passwords.

Devices like routers, smart devices, and other connected systems often come with default usernames and passwords.  These are well-known and easily accessible to hackers through simple online searches.

Best practices include:

• Always change default credentials immediately after setting up a new device.  Failure to do so leaves devices vulnerable to attack.
• Use Unique Usernames & Passwords:  Choose something that’s not easily guessable and follows the standard rules of password length and complexity.

Hackers often target default credentials because they are easy to exploit, so changing them is a critical step in securing your devices.

Enabling Passwords

Finally, let’s cover enabling passwords.

Some devices or systems come with password protection disabled by default, especially in home networks or personal devices.  Best practices for enabling passwords include:

• Enable Passwords for All Accounts:  Whether it’s an operating system, network device, or online account, ensure that password protection is enabled.
• Secure BIOS/UEFI Settings:  On computers, securing access to BIOS or UEFI with a password can prevent unauthorized users from changing hardware-level settings.
• Restrict Access to Important Systems:  Always ensure sensitive systems require a password for access, especially administrative accounts.

By enabling passwords, you add an additional layer of protection to prevent unauthorized access to critical systems.

Conclusion

To summarize, securing passwords is vital for both personal and organizational security.  The key best practices for passwords are:

• Use long and complex passwords.
• Avoid reusing passwords across sites.
• Regularly change passwords, especially for critical accounts.
• Utilize password managers for secure storage and management.
• Keep passwords private and never share them.
• Follow secure password reset processes.
• Change default credentials on new devices.
• Always enable password protection on all systems.

These practices are essential for keeping your data and systems from unauthorized access and will help you succeed in understanding password management for the CompTIA Tech+ certification exam.