Weak and stolen passwords are the number one reason for data breaches globally. This has introduced specific password alternatives like biometrics, Single Sign-On Sessions (SSO), pin codes, Magic links, and physical keys to the forefront of the digital world. However, as great as these alternatives are and as breach-prone, the traditional passwords may be, passwords still dominate the world of cybersecurity.
Since password management is evolving rapidly, new ways of keeping passwords secure are being introduced. Let us explore a few tips that can help safeguard passwords and make you re-think about password security.
Create Strong Passwords with Long Passphrases
The Australian Cyber Security Centre (ACSC) recommends coming up with long passphrases that are easy to remember but difficult to guess. Strong passwords are at least fourteen characters in length and represent a combination of both uppercase and lowercase letters along with symbols. It is also worth noting that the passwords should not be so complicated that they force the users to write them down everywhere. The best practice is to create a passphrase as if it is representing a story or use a PAO (Person-Action-Object) terminology. As an example, you can take the first letters of each word from the sentence “a crazy white fox is jumping over a fence” and combine it with a variety of numbers or symbols to provide yourself with a unique but memorable password.
ACSC also recommend you do not include the following things in your passwords:
- repeated characters
- arbitrarily mixed letters, numbers and symbols
- single dictionary words, your street address or numeric sequences (such as 1234567)
- personal information
- anything you have previously used.
To read more on the password guidelines set forth by the ACSC, please go here: https://www.cyber.gov.au/acsc/view-all-content/guidance/authentication-hardening
Use Password Manager
Even if you create difficult yet easy to remember passwords, you still need some sort of central management for all your passwords. Most users today have several different accounts and a plethora of passwords to remember. Password managers can generate highly secure passwords and store them securely for usage. Above all, you only need to remember one password to access your password manager. Once logged into the password manager, you can automatically log in to any of your stored accounts without needing to enter any further passwords.
Generally, there are two types of password managers:
- Personal Password Managers: Personal managers like Last Pass manage passwords for individual users or employees for application access and services.
- Privileged Password Managers: These are specialised password managers for enterprise solutions and are responsible for securing and managing enterprise-wide privileges and credentials. Privileged credentials grant access to the top-secret systems, accounts, and most sensitive assets of any organisation.
Implement Multi-Factor Authentication (MFA)
MFA is an authentication method that grants access to a user only after they have successfully presented two or more pieces of evidence. It provides an added layer of security by asking the user to provide an extra set of credentials rather than just a plain old password. A great example would be if you were trying to do online banking from your computer with MFA enabled. Once you enter your login credentials to the bank website from your computer, an OTP (one-time-password) code will be generated to another pre-authenticated device like your cell phone. You will then be required to input that code into the bank website to finally gain access. It is strongly preferred to use time-restricted OTPs from an MFA app such as the Google Authenticator.
Avoid Overly Complex, Weak and Similar Passwords
Even though longer and stronger passwords are recommended, most recent advice from ACSC suggests against using overly complex passwords. Overly complex passwords pose another security threat whereby some users might be enticed to write them down or put them on sticky notes instead of wanting to memorise them. Subsequently, creating weak, simplistic, or similar passwords for different accounts is counter-intuitive and full of risks as well.
||TIME TO CRACK
||EASY TO REMEMBER
|Brute Force Attack
||Instantly Less than AU$0.01
||Instantly Less than AU$0.01
||Very Easy (too easy)
||One of the most commonly used passwords on the planet.
||48 hours AU$587.50
||Less than half an hour AU$6.10
||Some complexity in the most common areas, and very short length. Easy to remember, but easy to crack
||24 hours AU$293.70
||Less than 1 hour AU$12.20
||Not much more complexity than above with character substitution, and still short length. Easy to remember, but easy to crack.
||2.5 hours AU$30.60
||2.5 hours AU$30.60
||Mildly complex, but shorter than the above passwords. Hard to remember, easy to crack (against BFA).
|I don’t like pineapple on my pizza!
||More than 1 Year More than AU$107,222.40
||More than 40 days More than AU$11,750.40
||Excellent character length (35 characters). Complexity is naturally high given the apostrophe, exclamation mark and use of spaces. Very easy to remember, and very difficult to crack.
Continuously Check Credentials
Before setting a new password and even during regular use, it is a good idea to check credentials continuously against the backdrop of databases of exposed passwords. There are many databases and agencies nowadays that can check your passwords for data breaches. This can save you from using a potentially exposed password and a lot of headaches in the long run.
Avoid Periodic Password Changes
The rule of requiring password changes every 30, 60, or 90 days is now getting obsolete. Even the recent advice from ACSC suggests going against it. The technology giant Microsoft also follows suit and considers the practice of regular password updates to be “ancient and obsolete”. The theory behind this strategy is that the more password changes there are, the weaker the newer ones tend to be as most people struggle with creating strong passwords. These habits can easily lead to potential hack attacks. Therefore, it is better to create just one robust password that can be used over a long period instead of rotating between new passwords continuously.
Do not save passwords in web browsers
Every time you visit a website that requires a login, your web browser might ask if you want to remember the password so that the next time you visit the same site, the credentials will be filled out automatically for you. Sounds compelling, doesn’t it? Who likes to remember passwords anyway? However, it is not a good security practice to do so. All passwords in browsers are saved in clear text waiting for a threat actor or someone at your computer to steal them.
Provide Password Training for your Staff
If you are concerned about corporate security and data breaches, it is a good idea to bring security awareness by offering password training sessions to your staff. Providing good password awareness and digital hygiene among end-users is crucial for maintaining a secure corporate network.
At a minimum, any password training should educate on the following aspects:
- Employees should not share passwords with anyone.
- Employees should not share their password in response to any email or phone call, regardless of how legit it might sound.
- If you think your password is compromised, change it immediately.
- Be aware of phishing traps and do not enter your password on a website that you have accessed by clicking on an email.
- Avoid using password-protected services on a public computer or over a public Wi-Fi hotspot.
In this data-centric world of today, passwords are a necessary evil. From emails to online banking to online shopping, passwords are widespread. On the flip side, cyber threats are also increasing at an alarming pace and passwords are the biggest source of contention. Therefore, organisations are now re-thinking password security and trying to incorporate newer ways to secure their networks. Fortunately, by creating effective password security policies and better password management, unauthorised accesses, data breaches, and phishing attacks can be easily mitigated.
If you would like to learn more about how Dreamtime can help you implement a Privilege Password Manager in your environment, please contact firstname.lastname@example.org