Passwords and How to Handle Them
By: Hart Johnson, MSCSIA, CEH, CHFI
October is Cybersecurity Awareness Month. This year the theme is “Do Your Part. #BeCyberSmart.” This theme acknowledges that we all have to do our part in protecting our individual cyber presence. One way to protect your organization is by educating yourself and your employees on the importance of passwords and how they can affect the cybersecurity of your practice.
Passwords are one of the most annoying parts about any technology that requires authentication. With the rules for how long your password has to be, its complexity, changing them often, it’s no wonder users will choose an easy to remember password and use it across all of their devices and services. The problem is, that is a VERY dangerous practice.
There are differing opinions on password based authentication, what is the most secure, etc, but among cybersecurity experts, most agree passwords really need to go away. However, technology is not that far along yet in most cases, so we have to deal with passwords for now.
The question becomes, if that is the case, then what should we know about passwords and how to properly use them?
First and foremost, cybersecurity experts agree that using a password manager is really the best way to protect and handle your passwords. It solves the problems of complexity, remembering where you used passwords, and allows you to use a different password per service. You can read more about that on our Password Manager Blog.
Putting that aside for a minute, let’s talk about a few things that you may want to implement as far as a password policy for your organization.
Passphrases can be stronger than a “normal” password.
That is because typically, passphrases are longer, which creates a stronger password. Passphrases are typically more memorable than a normal password as well. Now without actually putting in our real passwords, there are tools to see this in action.
Let’s take a look at two examples:
- 8 Characters, Random, Complex: M$!pass1
- Passphrase: Pass.for.this.site
Let’s look at the results:
As you can see, the passphrase is SIGNIFICANTLY stronger than the random 8 character password. BUT, if we change the random one to match the length of the passphrase to be M$!pass1M$#p2s21#1
So you’ll notice the random password is “stronger” than the passphrase. However, is the difference really that important though in these two examples? Is 1 Quadrillion really THAT much weaker than 7 Quadrillion? In reality, no, probably not.
This is where the password manager really comes in because it can handle the longer, more complex password with ease, and removes the need for you to remember it, so the passphrase becomes less important. The password manager just makes it easier, since most have secure password generators. But if you cannot use a password manager, encouraging users to use passphrases is another good option.
Do not write off changing of passwords on a regular basis
While NIST (National Institute of Standards and Technology) has come out encouraging organizations to not force passwords after an arbitrary amount of time, the practice has still stuck around. I personally support the changing of passwords on a regular basis, especially if multi-factor authentication is not an option. The reason being, is because according to sources like IBM (https://www.ibm.com/security/data-breach), the average breach takes around 280 days to detect. By changing your password more frequently, it gives you the opportunity to potentially help limit the effects of a data breach. With a password manager, changing your password on a regular basis is SUPER easy, but with using passphrases, it’s still possible without being a large burden on your users. I would encourage you to think about the risk/reward associated with automatic password expiring where you can control it.
You should know if you have been breached.
You are probably wondering, well, how do I know? There are tons of services out there that check your passwords against known breaches, recommend using stronger passwords, etc. One service that is easy to use is https://haveibeenpwned.com/. I highly recommend using their Notify Me service, as it will constantly check your email against known breaches to give you a leg up. They also have a domain search (which will need to be set up by your IT team) that can monitor your entire email domain for breaches too. Great service!
Don’t let users use personal emails or services for your business.
It’s just bad practice and shadow IT is a big issue. Users setting things up without your organization’s permission is a problem, and having them use their own email adds an additional layer of complexity in your security model. You are probably asking, what does this have to do with passwords? Well, think about where most password resets are sent. To the email address on file. That means if they are not protecting their personal email address, and an attacker gets in, they can request a bunch of password resets for items regarding your business and now you have a breach to deal with.
The long and short of it is, passwords are here to stay for a while, hopefully no longer than necessary though. So, you need to take precautions for your organization and use some of the best practices listed above to help protect your organization.