Passwords – Hate Them or Love Them, You’re Stuck with Them
Passwords are the bane of every person who uses multiple social media and email platforms. At your job many people (including you maybe?) hate them and do their best to circumvent best practices.
Meanwhile people like me can’t fathom why anyone would use password123 as a password. I wholeheartedly believe in a strong password policy, and practice what I preach. I often run into computer users with very lax passwords (and in some cases none).
A lot of people simply don’t understand the consequences of an easy password. Using a one word, all lowercase passwords, often a word associated with them, is extremely easy to crack.
The password 123456 is still one of the most commonly used passwords. I run dark web breach assessments for business owners all the time and find their very simple passwords have been cracked and are added to lists on the dark web.
I have had clients tell me that they know their password is not strong, and then half-jokingly say “Why would anyone want my password?”
Then there’s the dreaded sticky note or notepad right next to their computer, with all their passwords.
There’s laptop and iPad owners who have no password on their device. I can easily pick it up, walk away and likely have access to their entire life in a matter of minutes.
I get it. Passwords are a pain in the…..
Unfortunately, they’re not going anywhere.
There have been some cool advances in authentication. Biometrics, RFID cards, tokens, and QR codes to name a few.
If you have purchased a smart phone in the last few years you know that facial recognition and/or fingerprint scanning are now standard on most phones.
But ultimately passwords are here to stay. Have you ever tried unlocking your phone with a wet thumbprint? And my son was able to bypass the facial recognition on my phone. Most people say he looks like my wife but not according to my Samsung phone.
The Great Password Debate
In the Infosec world we usually get our guidelines and best practices from NIST. NIST recently published a study on whether recycling passwords worked.
Many businesses require you to change your password every 30 or 45 days and won’t allow you to reuse a password for 12-18 months. Many security experts recommend changing your social media and email passwords every few months. Some sites even prompt you to do this.
It has been determined that this practice is not effective, meaning it does nothing to improve account compromise.
What it does do is ensure that any unauthorized individual who has gained access with a compromised account will no longer have access once that password is changed. But by then the damage is done.
There have been lots of debates on what makes a secure password. Random letters/numbers/special characters are great but who can remember them?
Using something you can remember makes it easier to crack or even guess the password. I have successfully guessed a network password for a major cable provider’s supposedly secured modem/router. Meaning I did not use specialized tools to crack the password. I simply used information available to me to make an educated guess.
Things to consider include length, complexity, time until expiration, and account lockout rules.
Password Best Practices for Your Business
Despite the introduction of alternative authentication methods passwords are still necessary. The alternative methods should be used as multifactor authentication (MFA). Meaning you should use a password and another method.
I will get to those methods in a few paragraphs.
Password Best Practices:
- Use Passwords of at Least 8 Characters – The more the better. For each additional character the time it takes to brute force the password increases exponentially. A password of 8 lowercase letters can take 5 hours to brute force. By comparison a password of 12 lowercase characters can take 200 years.
- Use a combination of UPPERCASE, lowercase, numbers and special characters. Above I mentioned that a password of 8 lowercase characters can be cracked in 5 hours. If you add UPPERCASE, numbers and special characters it will take a lot longer.
- Force Yourself to Use Complex Password Policies – Doing this will also greatly decrease the likelihood of a compromise. Complex passwords mean in addition to requiring UPPERCASE, lowercase, numbers and special characters you also avoid dictionary words and variations, proper names, using the account name in the password, and reusing the same or similar passwords across different platforms.
- Use MFA – This is also referred to 2FA or TFA (Two-Factor Authentication). There are a few different methods for multifactor authentication available. The most common is the use of a token. It is becoming more popular to use a soft token. Using an app on your smartphone that generates a time-based code is easy to set up in most cases, and almost always free. Microsoft and Google offer apps to manage the codes for you. There is also an app called Authy that works great. This means you need to make sure your phone has a lock on it, preferably a biometric lock such as facial recognition or thumb print. Other methods of MFA (depending on what you’re logging in to) include text message, biometrics (retina scanner, fingerprint, facial recognition) and RFID cards.
- Password Manager – I use LastPass and Keepass. Both tools store my complex passwords so that I don’t need to remember them all. They’re both available for free.
If you put a gun to my head and ask for my Facebook password, I can’t give it to you because I don’t know it. Even better is if you do somehow get it, I still need to approve the log in on my phone. LastPass is a website that works with your browser, computer and smartphone. Once you log in to LastPass your passwords can automatically fill in wherever you need it. Keepass is a tool you can download to your computer if you’re not comfortable with a website knowing all your passwords. There are plenty of other tools out there. I have personally used these two for years without any problems.
- Stop Sharing so Much Information – We’ve all seen them, and many of us are guilty of participating in them. 20 questions about you that you share (often publicly) on the internet. This can be used to social engineer you. Social engineering makes it easier to make an educated guess as to what your password might be, or perform further social engineering. I’ve done it to prove a point on multiple occasions. It’s not hard to gain access to someone’s info given enough information, and if a less than secure personal password policy is in use.
Get Comfortable with Passwords
Passwords are a necessary evil that are not going away anytime soon. It’s best to get comfortable with having to use them in a secure manner.
One last note. There are websites on the internet dedicated to hosting dictionary files filled with passwords that have been used, Security professionals and not so ethical people can purchase these lists to use for brute force attacks. They don’t even cost that much money…pennies on the dollar for tens of thousands of passwords.
I recently discovered that a password I was using was on this list. I don’t normally use the same password in multiple places (call me paranoid) but this password was used in a couple of applications. The password consisted of a nickname of someone I know (that most people would not know) random numbers and a special character.
Needless to say, I do not use this password anymore. Using the exclamation point as your one and only special character seems to be the default for a lot of people. Don’t do it.
I should also note these password suggestions can (and should) be used on most internet applications today (Google, Facebook, PayPal, Banking, etc.) They all have multi-factor authentication options but don’t always make it easy to find that option (PayPal!).
Bottom line, make peace with using a more complex personal password policy. They’re not going anywhere.
Contact Scott: web: firstname.lastname@example.org, phone: 203.680.8151.