How to create a strong password?

What is a password? 

The password is a secret word or phrase used to verify your identity and gain access to your email account or an application or your devices. It is required to secure your data, and prevent any unauthorised access or misuse of your account. 

In the world wide web, every application you use needs to be secure and allow you to protect your information by providing unique authentication using your username and a password. While your username can be your email address or a unique id you choose, the password is a set of characters used to verify your identity using the authentication process.

Passwords are generally set by you, as the user of the application when you sign up for the service or when you use a device. 

In general, passwords can be of any length and can contain alphabets(both upper and lowercase letters), special characters, and numbers. Certain applications have some minimum requirements in terms of length and provide some guidelines for securing your data in that application. 

What is a strong password? 

A strong password can be defined as a secure and strong word or phrase, set by the user in a manner that is very hard to be guessed by a person or a program designed to crack passwords. The following points outline the attributes of a strong password that cannot be hacked into, easily.           

• Long with 12+ characters
• Mixed Content
• Memorable & Unique
• Not repeated / reused
• Customised for each app
• Expires at a set time
• Not saved in plain text
• Generated using a password generator 
• Managed using a password manager 
• Multi-Factor Authenticated 
• Password policy enforced 

Attributes of a Strong Password

1. Long passwords

It is highly recommended that you use a minimum of 12 characters in a string for a strong password. Long passwords are generally hard to crack. Attackers use a method called brute-force method - different combinations of various alphabets, numbers, special characters, and so on - to crack the account. When the passwords are long, the brute-force method cannot crack the password easily. Most of the applications have a security feature that allows a certain number of wrong attempts after which the account gets locked for some time. 

Examples:

• $ummerOf2022
• Ar+@#ear+2022

2. Use mixed content in passwords

Ensure that the password constitute of numbers, special characters, and uppercase and lowercase alphabets to ensure that you have a strong password.

Examples: 

• M3x!c0$p!55@
• (al!Forn!@>

3. Memorable unique passwords

In some cases, when you have long passwords the users who set them may forget the passwords themselves. Hence it is recommended to create memorable unique passwords. If you are using password managers, the passwords are random characters and hence they cannot be remembered by the users and they will need password managers to create and use the passwords. 

If you do not have password managers, you need to create memorable passwords which are also unique. Here are some tips below to create long memorable unique passwords: 

• Do not use information connected with you like birthdays, phone number, spouse names, parents' names, kids' names, or pets' names as passwords as there may be other people who might know and have access to such details. 
• You can create a base phrase for your password, but make sure you change that base word to a non-dictionary phrase. 
• Replace vowel characters with special characters/ numbers that you can associate with that vowel. (a - @, e - 3, i - !, o - 0, u - * ). Similarly, you can also create a replacement pattern for other letters also. (s - $, h - #, x - %, B - 8, c - (, l, |, k, <, v, > and so on). 
• Make sure that you remember the base word and your character replacement pattern by heart. As a best practice, do not write them down anywhere.
• In addition, you can also use smiley symbols in place of special characters to remember the password. Ex: You can end the password with :) or :P 

Examples: 

• D0n+qu!t23
• D0nt5mok3
• F0ll0wRuL35

4. Do not repeat/ reuse/ recycle

Another common mistake is reusing the same password in multiple applications. This poses a serious security threat, when even one of the apps gets hacked due to your carelessness or due to some security hole in the application, and your password is exposed, the attacker might try to use the same password in other applications. 

When you consciously avoid using the same password in multiple applications, the damage is controllable and minimised. Only that particular application that got hacked is insecure, while the other applications and data are secure. You can focus on securing only that application by changing passwords or adding an identity-based multi-factor authentication and protecting sensitive data in that account. 

5. Customise passwords

To avoid using the same passwords for different apps, you can customise your passwords. In the base phrase that you have set, you can append it with the short form of the app you use to create unique and memorable passwords, customised for the app.

Examples:

• 2023l0v3lyp@55w06d_s3p_tw 
• (:!@mStr0ng:)

6. Set password expiry

Password expiry is the ability to set a period - after which the password expires and the user has to set a new password for the account. This ensures that the passwords do not stay dormant - and hence this adds more security to the account. In addition to password expiry, the administrators can also set more rules related to password usage in a password policy.

Example: 

With a password policy, you can set the password expiry as 30 or 45 days. This will ensure that the passwords are changed every 30/ 45 days. 

7. Do not save in plain text 

When you save your password or a list of passwords in plain text in a file in your system, it would be in a clear readable format. This is not in an encrypted mode and can be easily read by anyone or scanned by a program that has got access to your system either normally or during a hack or virus attack. 

Even if you want to save some passwords for better retrieval, it is better to use password managers - which store them in an encrypted mode and cannot be accessed in plain text mode. 

How to set a strong password?

Use a Password manager/ generator

A password manager is an application or service that helps you manage your passwords securely. When you have a lot of applications and accounts, a password manager is the best tool to help you manage all your passwords securely from a single place.

Share passwords securely

An efficient password manager not only encrypts and stores the passwords securely but further provides features like sharing with other collaborators. You can also check out Zoho Vault, an online password manager service provided by Zoho. 

Most of the time, certain accounts are commonly used by more than one person and the user needs to create and share passwords with the other users. This makes it difficult to track password expiry, change of password, and so on. Hence, a password manager makes the sharing process efficient and secure. 

Enable Multi-Factor Authentication

Multi-factor authentication refers to the authentication process, which requires the users to provide more than one method to verify their identity and access an account or an application, or a network. When most of these applications require a password and a verification code that is sent to the user's mobile number or a time-based verification code generated in an application set up by the user. The users can also set up authentication based on their fingerprint or their iris - which is scanned during the authentication process for verifying the user identity. 

Use password-less authentication 

Modern applications are also moving towards password-less authentication, where the multi-factor authentication involves what you have (a code generated using mobile devices via time-based authenticators or sms, or a code generated via a security token) and what you are (a biometric identification via fingerprints, iris, voice or face recognition). 

Password-less and Multi-Factor Authentication involving biometric verification is considered to be more secure than just password-based authentication. 

What is a Password Policy?

A Password Policy is a set of conditions set by an organization for the applications, to ensure that the users create and use strong passwords in a secure manner. A good password policy defines the following: 

• Minimum password length 
• Password expiry duration 
• Deny historical passwords
• Not contain dictionary phrases/ user names etc. 

Email accounts need a strong password policy, to ensure that users create and use strong passwords for their mail accounts and avoid them from being hacked.

When an email account gets hacked, it not only compromises the data in your account but also creates a series of other problems. The hackers may send spam or phishing emails from your account to your contacts. Misusing your business email address, they may get access to secure data of your organization. They can get access to social media accounts and financial accounts that are linked with the email account, thus creating personal and financial losses. 

Enforcing the users to create strong passwords by implementing a password policy helps organizations prevent such attacks to a certain extent. However, adding TFA or MFA will create an additional layer of security and avoid these security threats to a large extent. 

Here are some guidelines to create a good password policy for your organization: 

Example of a secure password policy: 

• Minimum password length: 12
  • should contain at least 1 uppercase
  • 1 lowercase 
  • 1 number
  • 1 special character
• Password expiry duration: 30 days 
• Password history: Do not repeat last 3 passwords. 

How to Enforce a Password Policy in Zoho Mail?

Zoho Mail is a secure email service primarily intended for business communication. Once you create an email account, you can create and apply a password policy for your organization in the Zoho Mail Admin Console. 

Steps to create password policy in Zoho Admin Console:

1. Login to Zoho Mail Admin Console
2. Navigate to Security & Compliance on the left pane. 
3. Click Security and go to Password Policy
   
4. On the Password Policy section, specify the values for the respective fields and define the following: 

   • Minimum password length
   • Minimum number of passwords in history
   • Minimum number of special characters
   • Minimum number of Numeric Characters
   • Password Expiry Period(Days)

5. You can also choose to send a password expiry notification to the users and remind them to change their passwords by checking the Send password expiry notification to users option.
6. Once done, click Update.

You can also reset the edits you made from the previous setting by clicking Reset or go back to the initial configuration that Zoho Mail set as default by clicking Reset To Default.