PASSWORDS: How Important are they really?

20 Years of History

You’re probably familiar with some of the age-old requirements for creating passwords. The most common being, that your password should be at least eight characters long, contain lower case, uppercase, numbers and symbol characters. In addition, we are advised not to reuse the same password on more than one platform and to change the password regularly. The problem with these requirements is that it results in users selecting predictable passwords, composed of sequential words and numbers which are closely related to each other. Those in charge of enforcing these rules also end up allowing users to bend them because the alternative is an influx of support calls to reset passwords from frustrated users.  

The truth of the matter

If you look at the graphic below provided by h howsecureismypassword.net it shows that a password of 8 characters with lowercase letters can be hacked in 5 seconds. If you add in a number, Uppercase letter and symbol that increases to 8 hours which is still an extremely insecure password. This does not even take into account the predictable passwords that are comprised of your name, vehicle number plate or year of birth. What the graphic shows is that a longer password is stronger. A password of 18 lower case characters, for example, would take roughly 23 million years to crack. This is way better than 5 seconds. Naturally, this assumes that the 18-character password is not comprised of repeating patterns like sevensevenseven or passwordpassword that meet the character length requirement but aren't hard to guess. 

An employee’s exposed personal information can be used to craft highly convincing social engineering attacks, like phishing scams, phone scams, and more. By including just enough accurate information, the scammer can often convince their victim that they are the trustworthy source they claim to be.

How to Remember Passwords.

The big question is, how can you be expected to remember a 15 or 18 character long password especially if all your platforms require a different password that in turn need to be changed every 3 months without repeating them. The answer to that question is the use of passphrases. A Passphrase is a random word paired together by a space, symbol or number to make up the password.

This graphic below, which you may have seen in social media, does a decent job of explaining why passphrases are better than shorter complex passwords. The graphic appeals to those who love math by depicting the many more combinations that are required, to crack a longer password. In short, using a passphrase is easier for a human to remember and harder for a computer to guess.

The only problem with passphrases is that it is difficult to ensure that users do not use repeating patterns as was illustrated which inadvertently makes them easy to guess.

What we recommend

Passphrases are the best in situations where you are sure the users do not end up misbehaving. Below are our recommendations as highlighted in cybernews.com

1. Choose a good password manager

Whether you’ve generated your own strong passwords or you’re looking for an online service to do it for you, we strongly recommend using a good password manager. A secure password manager generates, stores and manages all your passwords in one safe online account. It also goes the extra mile to ensure that all your passwords are unique. This is really useful because it allows you to use as many unique passwords as you like without ever having to worry about memorising them. All you need to do is save all your passwords for every online account you have on your password manager and then protect them with one “master password”. This means you only have to remember one strong password as opposed to every single one.

Once you’ve got your password manager set up, whenever you go to log in to one of your online accounts, you simply type your master password into your password manager and it’ll auto-fill in your login details for this account. You don’t even need to remember which email address or username you used. A secure password manager will fill all this in for you. Here are some of the best password managers in 2021.

2. Use two-factor authentication

Even if someone does manage to steal your password, you can still prevent them from accessing your account by adding in an additional layer of security with two-factor authentication (2FA). This means that anyone trying to login to your account will have to enter a second piece of information after the correct password. This is usually a one-time code that’ll be sent directly to you.

Sometimes this will be sent to you via text message, although this isn’t necessarily the most secure way of receiving that code. After all, a hacker could steal your mobile number through SIM swap fraud and access your verification code.

We’ve found it’s much safer to use a two-factor authentication app instead, as they’re much trickier to intercept. Our favourites include:

• Google Authenticator

• Microsoft Authentication

3. Enable Risk-based Multi-factor Authentication.

Risk-based multi-factor authentication ensures when your system detects suspicious activity, it can challenge the user to ensure that they are the legitimate account owner by sending a verification code to their email address, two-factor authentication app or ask a secret question that ideally, only the user knows.

4. End-User Training 

Your organization is only as secure as its weakest link. It so happens that your employees, the human element of your well-laid security plans, will in most cases be your weakest link. As such, it is paramount that you continuously educate them;

Not to re-use organization passwords anywhere else

One of the most important messages to get across to users in your organization is to not re-use their organization password anywhere else. The use of organisational passwords in external websites greatly increases the likelihood that cybercriminals will compromise these passwords.

Early this month reports emerged of an alleged data breach, impacting half a billion Facebook users from 106 countries. In the event some of those credentials were also used on other accounts, bad actors could easily be able to pounce on those accounts.

Not to save their passwords on their phones, tablets or PC’s
This may sound obvious but you must avoid saving any of your passwords in a document, email, online note or anything else that could be hacked.

Not to give out their password
It is really important to keep your passwords private. Even if you completely trust the person you’re giving your password to, it’s risky to send a password via text message or email in case anyone intercepts it. Even if all you’re doing is reading it out over the phone or spelling it out to the person sat next to you, there could be someone listening in and making notes.

Check if their email has been leaked
Of course, it’s really important to keep on top of any data breaches that may have occurred, particularly with your email account.

But how would you know if your email has been leaked? Well, cybernews.com has an online personal data leak checker, which will let you know if anything like this has happened to your email account. All you need to do is enter your email address and they will be able to tell you if anything has happened to it. You may also want to invest in an online Dark Web Monitoring tool that continuously monitors your organisation's email domains as well as 3rd party email addresses for your CEO's and any other C Level employee, to see and alert you as soon as any of your employee's credentials are leaked. This can help you make timely, corrective, steps to stop any malicious actors from taking advantage of the breach.

Should Password Expiry be enforced or not?

If you were keen, you would have noticed the howsecureismypassword.net graphic, above, did not mention anything to do with changing passwords regularly. As a result, you probably would be asking whether it is necessary to change passwords regularly. According to the National Institute of Standards and Technology (NIST) and Microsoft, mandatory periodic password resets for user accounts is not necessary, unless the password itself was exposed to a breach. The main argument by these proponents is that Password expiration requirements do more harm than good because they make users select predictable, passwords.

That being said you could make an argument that changing a password once every 6 months or a year has some value especially if you don't have a system in place that consistently monitors for hacked passwords and/or the system is not perfect in identifying all passwords discovered in every security breach on the internet.

We would like to hear your thoughts

How does your IT Guy/Team Store your network level passwords? Ask them, you may be