Reuters and The Three Rules of Passwords

August 6th, 2012   |     |  Smarter Identity

Another month, another embarrassing story about a big website getting hacked – this time it was Reuters. While some might be tempted to make grand proclamations about password security, it’s important to remember that we are all just humans and that human nature is to favor convenience over security. As a result, most of us use the same old, weak passwords that are easily guessed or maybe even known by friends or co-workers.

After all, most of our brain capacity isn’t spent on remembering passwords, but rather the presentation that needs to be finished by 4 pm, or why Sarah isn’t responding to your text messages, or which summer camp to send your kids to next week.

Once we have accepted that we’re just human beings, there are some very practical things organizations can do to increase password security. Let’s look at the Three Rules of Passwords.

First rule: Don’t use passwords

Eliminating passwords is the key to stronger password security. When you don’t have passwords, no one can steal them. It’s a bit like carrying credit cards instead of cash. The best way to eliminate passwords is using a single sign-on protocol like SAML, which is supported by most leading SaaS applications, including Box, Google Apps, Salesforce, Yammer, and Zendesk. There are also free SAML plug-ins available for most of the open source content management systems, including Drupal, Joomla, and WordPress.

For applications that don’t support SAML, you can generate a very strong password and let a password manager auto-fill it for you, which is the second best solution.

Second rule: Use strong passwords

You will most likely always have one password to remember; for example, you’ll likely always have one for your password manager or your identity provider. As long as you only have one password to remember, though, you can handle changing it periodically and also come up with one that’s strong enough that it can’t be easily guessed. You can always stitch it together using character sequences that makes it easier to remember. For example, if you graduated in 98 and “Stairway to Heaven” is your favorite song, an easy-to-remember password could be Stair98Hea!

Third rule: Multiple authentication factors

A second authentication factor can prevent others from hacking into your applications even if they guessed your password. Basically, there are three types of authentication factors:

  • Something you know: a password or a PIN
  • Something you have: a mobile phone or a key fob
  • Something you are: fingerprint, voice pattern or iris scan

The password is something you know, so your second authentication factor should be something that can’t be used by a person who is located somewhere else. The most practical ones are mobile phone apps or key fobs that generate a unique PIN every 30 seconds. There are many strong authentication options available, both commercial ones from vendors like Duo Security, RSA and Symantec, as well as free ones from Google and OneLogin.


Password security doesn’t have to be military grade, and there are some very simple steps you can take to drastically reduce the risks of someone hacking into your applications. Just be smart about it.

About the Author

Thomas Pedersen, founder of Onelogin, has more than 15 years of experience in building and selling carrier-grade billing systems for phone companies, initially at Cisco-backed Digiquant in Denmark and later at Intec Telecom Systems in the US. After having helped Zendesk grow to 5,000 customers as VP Business Development, he is now laser-focused on making OneLogin the most widely deployed identity management solution in the cloud.

View all posts by Thomas Pedersen

Secure All Your Apps, Users, and Devices