Password Best Practices | CompTIA IT Fundamentals FC0-U61 | 6.5

In this video you will learn password best practices such as:  password length, password complexity, password history, password expiration, password reuse across sites, password managers, and password reset process.

Password Length

The longer the password, the harder it can be to crack.  When the number of characters for a password is limited, you should use a password that is as long as possible. Use six characters for your PIN or passcode when permitted, use 16 characters instead of seven or eight for a web or account password.  Look at the minimum password length; for maximum security, that’s how long your password should be.

Password Complexity

Password complexity is designed to defeat typical methods of breaking passwords:  dictionary attack, brute force attacks, and spidering. All three of them can work because typical passwords are simple and obvious.  Here is how some of these attacks work.

  • A dictionary attack uses a list of common words and tries them in various combinations. 
  • A brute force attack uses all possible combinations of alphanumeric characters. 
  • Spidering is a variation on the dictionary attack that uses terms and phrases that can be found on the target’s website.

Password complexity refers to the types of characters that can be used in a password.  Many organizations require that passwords be alphanumeric and have at least one special character such as one of the following punctuation marks:

  • ! @ # $ % ^ & * ( ) –

A strong password should:

  • Be at least eight characters long
  • Contain a combination of uppercase (A-Z) and lowercase (a-z) characters
  • Contain at least one special character (! @ # $ % ^ & *  ( )-)
  • Contain at least one numeric character (0-9)

A strong password should not:

  • Contain a word, string of words, or phrase found in a standard dictionary
  • Include personal information such as family name, pet, birthday, location, etc

If you want to use words as the basis for a password, try mixing them with numbers or special characters or using special characters as substitutions, as in these examples:

Password History

Password history prevents the reuse of old passwords until a specified number of new passwords have been used first.  This feature works along with password expiration.

Password Expiration

Password expiration policies are designed to require users to change passwords on a specified schedule.  Requiring users to change passwords, websites and networks reduce the likelihood of a security breach caused by repeated attempts to break the password.  When a password expiration policy exists, users are typically warned a few days ahead of time that a change is coming to help avoid disruption.

Password complexity, history, and expiration can be configured in Microsoft Windows through the Local Group Policy editor (gpedit.msc).  To start gpedit.msc, press Windows and R keys simultaneously to turn on the Run dialog, enter gpedit.msc in the empty box, and click OK.  Next, in the Command Prompt window, type gpedit.msc and click Enter.  To see current settings or to make changes, open Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy.  To enable account lockout, stipulate how long to wait before re-enabling login attempts, and specify the number of unsuccessful account logins allowed before locking the account (account lockout threshold), open Account Lockout Policy.

Password policy settings with the Local Group Policy Editor
Account Lockout Policy settings with the Local Group Policy Editor

Through the Local Security Policy and Group Policy in Windows, you can set up password policies that require users to do the following:

  • Change passwords periodically (Local Policies > Security Options).
  • Be informed in advance that passwords are about to expire (Account Policies > Password Policy).
  • Enforce a minimum password length (Account Policies > Password Policy).
  • Require complex passwords (Account Policies > Password Policy).
  • Prevent old passwords from being reused continually (Account Policies > Password Policy).
  • Wait a certain number of minutes after a specified number of unsuccessful logins has taken place before they can log in again (Account Policies, Account Lockout Policy).

To make these settings in Local Security Settings, open the Security Settings node and navigate to the appropriate subnodes (shown in parentheses in the preceding list).  In Group Policy (gpedit.msc), navigate to:

  • Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
  • Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
  • Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options (as appropriate)

To help protect computers from unauthorized use, users can be required to enter their password to return to the desktop after the screensaver starts.  Users should also be required to lock their workstations, which also requires a login to return to the desktop. In Windows, the screensaver required password settings (the On Resume, Display Logon Screen check box) is located in the Screen Saver Settings window, which can be accessed from Control Panel, Personalization.  To lock a computer, press the Windows and L keys at the same time. In macOS, use the Desktop & Screen Saver menu to choose a screensaver, and use Security & Privacy to require a password to unlock your system. Linux distributions that use the X11 Window System use the XScreenSaver.

Password Reuse Across Sites

Many users set up the same or similar passwords on the various sites and systems they log in to.  The reason why most users do this is because complex passwords are hard to remember, and one password is easier to remember than a half-dozen or more. A better solution to the problem of multiple logins would be a password manager.

Single Sign-On

Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to any of several related systems. For example, a single Microsoft account login provides access to Outlook email, OneDrive storage, Windows 8 and later, and the Microsoft app store.

Password Managers

A password manager is a software application or a hardware device used to store and manage a person’s passwords and strong passwords. Typically all stored passwords are encrypted, requiring the user to create a master password to access all the stored, managed passwords. After you set up accounts with your password manager, you log in to the password manager and it takes care of logging you in to secure sites.  Some leading password managers include:

Password Reset Process

When it’s time to reset your password, there are a variety of reasons for doing this.  If the website uses the self-service password reset (SSPR) method, here’s what you should expect:

  • First, start the reset process.  Go to the vendor’s website and click the “lost password” or “reset password” option.
  • Second, enter the email associated with your account.  This will typically generate an email that you must click to continue.
  • Third, click the link in the password reset email.  Because you asked for the email, you can trust the link you receive.
  • Fourth, when asked to reset the password, enter the password twice as prompted.  Use the guidelines given earlier in this chapter to create a strong password. If you prefer to generate one, open a separate tab in your browser and navigate to a password generator site.  Copy and paste the password generated into the “password” and “password confirmation” fields.
  • Fifth, save a copy of your password (and username).  If you have set up a password generator, this is a good time to use it.  Otherwise, create a document, encrypt the document, and store it in a safe location.

How to Reset Your Password in Windows

Depending on the version of Windows you use, you can use Settings (PC Settings) Accounts or Control Panel’s User Accounts dialog to change a local account.

How to Reset Your Password in macOS

You can reset your macOS password in System Preferences > Users & Groups.

How to Reset Your Password in Linux

Open the Linux Terminal and enter the command passwd.  You will be prompted to provide your current and new passwords.  To change a password for another user, log in as root (superuser) with su.  Then use the command passwd username (replace username with the user’s name).  Follow the prompts to change the password. To change the root password at startup, procedures vary according to the Linux distribution.

How to Change Your Passcode in iOS

The passcode is the four-digit or six-digit code you enter to gain access to your iOS device if you decide to encrypt it.  To change an existing passcode, open Settings.  Then, open Touch ID & Passcode or Passcode, or Face ID & Passcode, depending on your device.  Tap Change Passcode to enter a new six-digit passcode.  For other options, such as the less secure four-digit passcode or more secure custom numeric or alphanumeric codes, tap Passcode Options.

How to Change Your PIN in Android

The PIN is the four-digit (or more) code you enter to gain access to your Android device if you decide to encrypt it.  To change an existing PIN, tap Settings > Lock Screen & Security (or similar wording, varies by device) >Screen Lock Type > PIN.  Enter your current PIN and then tap PIN again.  On the PIN Change dialog, tap the new PIN.  When you restart your phone, use the new PIN.

How to Set Up a BIOS/UEFI Password

A BIOS/UEFI password prevents unauthorized users from changing BIOS/UEFI firmware settings.  Use this option if you are concerned about hardware configurations or firmware-based security issues.  For example, if the usual configuration prevents the use of USB drive as a boot device, putting in a BIOS/UEFI firmware password prevents anyone from changing the settings to permit booting from a USB drive.  To set a password, start the system and press the key(s) needed to access the BIOS/UEFI firmware setting. Not every system supports this option, and there’s no uniformity about this option’s location. However, once you find it, enable it and be sure to write down the password you assign.  The password can be removed by clearing the CMOS chip’s memory. For greater protection, enable chassis intrusion detection so you can be warned if someone tries to open the system to clear the CMOS with a jumper block or by removing the battery. Note that some laptops have a hard disk lock password that can prevent the hard disk from being used in a different computer.

Password Policy

A password policy provides a set of rules on how to create strong passwords and use them properly.  It might specify which devices should be password-protected. Having a strong password policy is a must for any organization.