How to Create a Strong Password If the Service Provider Does Not Allow Adding Symbols and Special Characters
We have discussed password requirements in the past, and it's safe to say that we all know why they exist – their goal is to discourage users from using simple and easy to guess passwords. Many experts, including the ones that write NIST's password guidelines, aren't sure if they work, though. They reckon that obligatory use of special characters and digits puts additional pressure on the user without necessarily improving the security of the password. But what about the opposite, then?
What happens when users are forced not to use a special character?
Why do some websites ban special characters in passwords?
For years, people have been telling us to use a wider variety of symbols, and it seems somewhat strange when you see a website that forbids you from including a "=" or a ":" in your password. Believe it or not, they do this for security reasons. At least that's what they think.
By forbidding the use of special characters, they are trying to limit the risks of a successful SQL injection attack. An SQL injection happens when a cybercriminal uses a field on a website (e.g., the one where you put your password) to execute commands on the web application. These commands could expose personal data, lead to loss of information and create a defacing opportunity.
All SQL commands contain special characters, and if the password field refuses to process special characters, it will refuse to process SQL commands. This is why some websites won't let you use them.
Why don't all websites ban special characters in passwords?
Although it's a fairly old trick, an SQL injection as an attack vector is something website operators should definitely think about. As far as prevention goes, however, banning special characters from passwords is an extremely crude method.
There are many other effective ways of fending off such attacks, and website operators have no excuse for not knowing about them. Furthermore, while many users might think that adding "!@#" to the end of their pet's name will make their passwords unbreakable, there are those who are well aware of the benefits special characters bring. Forcing them to use a weaker password is a really bad move.
Overall, if you are doing business with a service provider that won't let you use special characters in your password, you might want to know that in all likelihood, some of its security practices are a bit outdated. It's up to you to decide what you make of this, and it's also up to you to make sure that despite the lack of special characters, your password is strong enough to protect your data. Here are some tips.
Go for length and randomness
As we discussed recently, entropy is the measurement that tells you how easy a password is to brute-force, and as we also mentioned in that blog post, with all other things being equal, a longer password will have higher entropy. In fact, for years, people have been arguing that because length is so important, you should always opt for passphrases instead of passwords. There's a bit more to it than that, though.
Entropy is a great way of seeing how resilient a password is to brute-forcing, but it's not much help when it comes to other attacks. For example, if you use the name of your favorite song as a long passphrase, and you've shared that song on Facebook hundreds of times, an attacker will only need a few minutes of reconnaissance before they can make an educated (and possibly correct) guess. Adding digits to the passphrase won't be very useful if they represent your birthday, either.
Regardless of whether you're creating a password or a passphrase, you must make sure that it's as random as possible.
Make it unique
Many experts agree that credential stuffing is one of the biggest threats the modern internet user faces, and over the last few months, we've certainly seen an uptick in the number of incidents that involve passwords stolen from one website and used at another one. When it comes to cybersecurity, password reuse is arguably the simplest, yet most common mistake people make, and it's not difficult to see why.
Hackers' tools are more advanced than ever nowadays which means that our passwords need to be complex and long. Creating them, while a bit of a nuisance, isn't such a big deal. Because we have many online accounts, however, and because they all require their own, unique passwords, we have no chance of remembering all that data. It seems that we're stuck in a Catch-22-type of situation. Thankfully, there is a solution.
Let the machines do the hard work
Cyclonis Password Manager was designed to help users solve this riddle. It comes with a built-in password generator that can create completely random passwords that can be up to 32-characters long. To fit the requirements of the website you're signing up for, you can choose what sort of characters you'll have in your password, and with the help of your browser extension, you won't even need to switch windows or manually copy and paste anything. Best of all, Cyclonis Password Manager can save all your passwords in your encrypted vault meaning that you won't need to worry about forgetting them. To learn more about how it works, click here.