The Importance of Strong Passwords in 2020 & New Plesk Password Policy

Plesk Password Policy and The Importance of Strong Passwords in 2020

According to an annual report by the Identity Theft Resource Center, there were 500 million stolen personal records in 2018. However this is nothing when we compare to 2019 – the highest number of data breaches in history. There were a total of 5,183 breaches, exposing 7.9 billion records, and making it by far the worst year for data security on record. This is why there is a need to talk more about the importance of strong passwords as we go into 2020. As well as our new Plesk password policy which is planned to come into effect this year.

With such frequent threats that have already affected billions of internet users, it’s clear the way we look after personal information online needs to improve. One major area of concern are passwords. Instead of helping users protect their information, all too often passwords are putting user privacy at danger. We want Plesk to take the lead in data privacy and security.

Therefore, we have a new Default Password Strength Policy, which is planned to set all passwords to “Strong” as of February 18, 2020. Read on for a better explanation of this new Plesk password policy and how it affects you as a user. But first, let’s sum up why having strong passwords is essential to keep your online data safe today.

Hacking Techniques Are Increasingly Sophisticated

Password policy vs Hacking Techniques

The reason for the massive increase in the number of data breaches in the last two years is two-fold. Firstly, there’s been a surge in the amount of sensitive information stored by companies. And secondly – the hacking techniques of 2020 are highly-sophisticated – even more than the previous years.

To combat this advancement in hacking techniques, we need to band together in order to increase the security of the servers that hold such sensitive and sought-after data. Professional “white hat” hacker Marc Rogers says you can start by simply keeping a close eye on what data you hold. By making sure their data has password protection, companies can greatly reduce the number and risk of breaches.

One of the best ways to create and manage your passwords is to use a password manager. This way you don’t have to remember your passwords. Plus, you don’t end up using the same one or similar patterns for every account you have. Instead, you get to store them all securely in an encrypted format and retrieve them when necessary.

More Personal Data Online Than Ever Before

Password Policies

Many companies today offer their services for free in exchange for your personal data. This has led to a massive influx of personal information being available and stored online in the cloud. Try typing your email address into Have I been Pwned (run by a Microsoft Regional Director and web security expert). You can find out how many times such personal identifiable information (PII) has been breached.

The answer may surprise you – or then again, it may not. Major sites and social networks like Adobe, LinkedIn, Canva, Facebook, and Houzz have all been victim to major data breaches in recent years. Exposing the information of hundreds of millions of accounts.

These are risks to your data, policies, technology, and trust between you and your users. Safeguard this and you have the key to avoiding losses and building loyal relationships.

Why Are People Still Using Weak Passwords?

Password Policy and Weak Passwords

When data is in the hands of companies, it’s their responsibility to look after it. But this is no excuse to create weak passwords, which millions of people still do. Is your password generic like “password123”, “qwerty”, “123456”. Or is it the name of your favorite animal, band, superhero or Partner? Know that these are among the most common passwords worldwide.

Passwords that are based on dictionary words with proper capitalization are not effective against brute force attacks. In our new password policy, passwords marked ‘Very Weak’, ‘Weak’, and ‘Medium’ password strength can endure a brute-force attack within seven minutes.

As in our new policy, strong passwords are those that are at least eight characters long, include at least one occurrence of upper and lower-case characters, digits, and special characters. For example: “[email protected]”.

Whether for a social media account or our financial accounts, such hard-to-guess passwords provide strong protection from brute-force attacks.

The New Plesk Password Policy

New Plesk Password Policy

The previous default password strength for new Plesk Obsidian installations was “Very Weak”. Such passwords in Plesk satisfy only the minimum required strength and could suffer s brute-force attack in zero to seven minutes.

As of December 17, 2019, the new Plesk Default Password Strength Policy became “Strong”. This new stronger Plesk Password Policy sets the requirements that Plesk passwords must meet when they are created or updated.

The ‘Strong’ password strength policy will apply to all new Plesk Obsidian installations by default. You can see and change the default password strength policy in Tools & Setting > Security Policy (under “Security”) > the “Password strength“ section.

This ensures that your passwords are at least eight characters long. And that they have at least one occurrence of upper and lower-case characters, digits, and special characters. For more info on this new policy, check out this article in our support center.

For the password security standards of 2020, check out this article. 

Have you suffered a security breach in the past? What do you think about our new password policy? Tell us in the comments.

Password Security Standards in 2020

Password Security in 2020

Proper password security practice is incredibly important – your web services and servers will never be secure if you use weak passwords or ignore best advice around password strength. Poor password security policy can be a single point of failure that brings down your entire system or even network.

So, here is a comprehensive list of the most important tips you need to follow when setting and managing passwords in 2020.

Password security practices

You’ll find plenty of resources that give you good tips for password standards, but we think the Nation  Institute of Standards and Technology (NIST) has a relatively watertight list of do’s and don’ts.

The NIST is, of course, an agency that was has the specific goal of pushing industrial competitiveness and innovation in the US – by advancing science, technology and standards. It’s easy to see why the NIST would publish a well-considered list of password best practice given it aims to enhance economic security.

We summarize the most important parts of the NIST’s password advice below. It varies from obvious rules such as uniqueness requirements through to password complexity requirements. It’s a solid basis on which to build a password security policy.

Things you should get right about password standards

Here are a couple of rules you should always adhere to when creating passwords.

  • When a password is created by a person, use at least eight characters or more – and keep in mind that the more characters you use, the less likely your password will be hacked. So, at least eight characters – but try to go for sixteen or more if you can.
  • System generated password standards should be at least six characters – wherever you have a service or system that facilitates the creation of new users you need to ensure the passwords supplied are at least six characters in length. Forums or e-commerce sites should assign users passwords of at least six characters.
  • Support long passwords for password strength, up to 64 characters – allow your users to input very long passwords, we suggest an allowed length of 64 characters as unique passwords of this length will be incredibly secure.
  • Use the entire ASCII set for passwords – lowercase, uppercase, numerals and symbols should all be in mixed into your password. Think JkLL8#!n to make up an eight-digit password.Why does using all ASCII characters matter? Simple – a wider set of characters increases password entropy. In other words, how difficult it is to guess a password. Password entropy increases when passwords are longer, and when passwords use a greater mix of characters like uppercase, numerals and special characters.
  • Make sure your password standard is set enforce uniqueness – don’t re-use passwords across services, instead use a different password for MySQL, FTP, cPanel and – importantly! – your social media and bank accounts. Uniqueness requirements prevent hackers from using a stolen password to access other accounts.
  • Check your password is not in a password dictionary – you can use software packages or tools that check that your password is not contained in existing password lists; always do this check before using a password.
  • Use a password manager – complex passwords are more secure but they are difficult to remember. However, a password manager is a great way to store and access complex passwords.
  • Randomly generate your passwords – a randomly generated password is unlikely to be in a password dictionary and will be difficult to guess. You have plenty of options to randomly generate a password, think org or even Norton’s website.
  • Allow plenty of attempts at a password before you lock a user out, at least ten – with a password security policy it’s important to strike a balance between the number of times a user can try a password and the point at which they’re locked out. When choosing this balance you should consider the risk involved if the account is compromised, but keep in mind that locking users out can be frustrating. Still, to prevent a successful brute force attack, you must lock a user out at some point.
  • Use two-factor authentication (2FA) whenever you can – there is an almost unlimited number of ways in which passwords can be hacked. However, with 2FA, even if a password is hacked, a hacker cannot enter an account without the second authentication factor. This could be biometric data, a key fob or something like Google’s Authenticator

What are the big “no’s” with passwords?

Good practice is one point to address, bad practice needs addressing too. We want to highlight a number of practices you should steer clear of:

  • Never use a dictionary word – any word which can be found in a dictionary should never be used, nor should a combination of dictionary words like clevercat or safeashouses.
  • Frequently change your password – in case your password ends up getting stolen, changing it will mean it can’t be used to compromise an account.
  • Don’t use passwords that reflect the name of people or places you know – hackers might research you and find out who and what matters to you, using these names to try and guess a password. Also be careful of using very slight variations on these names – for example, if your mother is Johannah don’t assume that J0hannah will be secure.
  • Never use the same password twice – use a unique password for every service, and don’t swap backwards and forwards between old and new passwords if a service demands that you input a brand-new password.
  • Forget about using a string based on letters adjacent on your keyboard – you can be sure that any set of letters adjacent on a keyboard will be in a password dictionary. Whether it is qwertyui or mnbvcxzl – forget about it.

Some examples of good and bad passwords

We’ve listed the key password security policy practices you should follows. What does it mean in reality? Well, examples of password you should NOT use include:

  • theoneandonly77
  • sunnycountry12
  • champion88

If you want a secure password, you want to use something like this, but don’t use these (!) – go to a random password generator instead:

The above examples will meet the password complexity requirements of even the most stringent of security policies.

Passphrases can be a great compromise

Know how we said you should use a long complex password? You’ll also know how difficult those are to remember every day. A passphrase can be a good option. It could be based on a movie you know, a joke you like or anything else.

Think about a movie phrase, like Arnold’s “Hasta la vista, baby.” As a password this could easily be written into hastalavistababy which can be made more complex by changing it to an equally easy to remember [email protected][email protected] It’s secure and you can remember it, but try and think of a passphrase that is unique to you to ensure there is absolutely no chance it’ll be caught in a password dictionary.

In any case, our example will take up to 85 billion years to guess by a computer, according to a popular password security checker.

It’s easy to make our example passphrase even more secure – just add a few interesting bits to it. For example, turn it into [email protected][email protected][email protected] if you’re using gmail, and you’ll find password security goes up. That’ll take 128 undecillion years to solve!

What can you do to remember passwords?

Even if you use passphrases you still need to use unique passwords for critical services. Remembering these will be difficult – heck, remembering your passphrase can prove tricky. What’s the best way to fix this problem? A password manager.

Password managers come with other benefits too, including the ability to automatically log in to a website, instead of retrieving or typing a password every single time. However, remember to set up a strong gateway passphrase for your password manager, otherwise all your passwords could be compromised.

Which password manager should you choose? We can’t endorse any specific password manager, but some of the more popular options include Keeper and LastPass.

Multi-factor authentication

Multi-factor authentication, including 2FA which uses two factors, can include a number of aspects. Each of these aspects or factors contribute to password security. Qualifying factors would include the following:

  • A piece of information that only you know – think a password, or indeed a passphrase
  • Something that is possessed by you, and you only. This could be a key fob or code generator or even employee ID
  • Data unique to you as a person, for example a retina imprint, a fingerprint or your face
  • Your location as determined by a GPS or according to your network access point

So, as you can see, multi-factor authentication has plenty of factors that it can depend on. A unique aspect such as a fingerprint or your GPS location can add a huge amount of security on top of a password or passphrase.