Passwords may be one of the most misunderstood elements of network security. The critical importance of the role passwords play in thwarting cybersecurity breaches cannot be downplayed or understated. Weak passwords undermine a company’s network. One of the key points of security tools, such as network security monitoring, is to flag unusual (and therefore suspicious) activity on an organization's computer systems. If passwords are so simplistic that hackers can guess them correctly in a normal number of attempts, then cybersecurity software is much less likely to notice and flag these cybercriminals' efforts.
But even businesses that do not rely on advanced security tools can still benefit from strengthening their password practices. Before providing some advice on password best practices, let’s take a look at some of the common issues surrounding passwords:
According to SplashData’s annual list of bad passwords, two passwords remain at the top of the list: “123456” and “password.” Hacks that compromise real-life passwords have shown that users, despite advice to the contrary, continue to employ very easily guessed combinations. Even though users know these are bad passwords, they continue to use them, to the delight of cyber thieves. Pop culture also has an influence on bad password choices. According to the SplashData list, new to the list are from the movie Star Wars, including, “starwars,” “solo,” and “princess.” Not even “The Force” will protect companies and users that use these short and easy-to-crack passwords. Using the names of loved ones is also not recommended. Cyber criminals do their research, and it only takes a few minutes on Facebook and other social channels to figure out the names of spouses, children, pets, etc.
Employees sometimes use the same password on their work machines as they do for their personal accounts. This can indeed cause a “double whammy” effect. If the services hosting personal accounts are breached, then hackers targeting a work account can then attempt to use the stolen passwords from the user's personal account. Different passwords should be used for every account – both personal and at a place of business. However, this can get very confusing and hard to manage. Cybersecurity expert Bruce Schneier also provides some additional important tips for good password hygiene. First, never reuse important passwords. If each of a user's important passwords are unique, they are more secure. Second, be wary of the “secret question” options for restoring access to a forgotten password. If users are required to input answers to secret questions, they should put in bogus answers and store the answers somewhere safe, such as a well-defended password manager. Finally, Schneier recommends also using two-factor authentication if a site offers it.
Password Security Basics
Some of the best advice on creating passwords that block efforts to accurately guess passwords is really just good, old-fashioned common sense. Taking a common-sense approach to password management is sound, but it also has to be part of an organization’s actual and effectively executed IT security policy. With that, here is a short list of what to include in a password management security policy:
- Always Use Special Characters - When choosing a password, Schneier recommends inventing a sentence and turning it into password. For instance, looking at the initial letter of each word in “The Statute of Liberty is a popular tourist destination in New York City” yields TSoLiaptdiNYC. This string can be made more complex by adding some special characters and numbers: TS%oLiapt7diNY;C. Be sure to use special characters (ones besides letters and numbers) other than those available on the number keys. In other words, use special characters from the right side of the keyboard, such as “ and [, in addition to the usual special characters such as ! and @.
- Alternate Capital Letters and Numbers - Strong passwords are ones that include capital letters, numbers, and symbols throughout the password instead of just at the beginning or end. Another helpful tip is to make the password a string of seemingly unrelated nouns. Some of the easiest passwords to guess are common baby names and birth years. Hackers can guess that your password is your birthday or a family member’s name, but random words in passwords are harder to guess, especially if numbers and special characters are thrown in.
- Password Managers are a Good Option - For those who don’t like the thought of memorizing a list of complicated passwords, password managers can keep track of multiple passwords for you. Users have to remember one strong password for their password manager, and then the service stores the rest of the passwords for easy access. One downside to password management services is that they are not immune to being hacked. Another way to add security to passwords is through multi-factor authentication. People can use a secondary code that’s delivered to their cell phone, or physical token to access their accounts. If a hacker finds a way to bypass your password, they still won’t have your secondary code or token. As with password management services, there is at least one disadvantage to secondary codes and tokens: users must have their cellphones and tokens on them in order to access their accounts.
Security software can go a long way to protect your data—and your company's—and strong password selection is just one part of an overall cybersecurity plan. Requiring all employees to select secure, unique, and complex passwords must be part of your organizational security policy. Not only will this protect critical company data from cyber thieves out to steal it, but it will also ensure that your company will get the most out of the IT security software and services in which it invests.
If you are struggling with improving your organization’s security posture, consider your options. More and more, organizations that were previously understaffed, underbudgeted, and overwhelmed are finding that EiQ’s hybrid security as a service that combines the best people, process, and technology is a welcome change from going it alone. EiQ is transforming how mid-market organizations build enterprise-class security programs. Acting as an extension of our customers’ IT teams, EiQ’s SOCVue provides continuous security operations based on best-of-breed technology at a fraction of the cost of alternative solutions. EiQ is a trusted advisor to organizations that need to improve their IT security and compliance posture by protecting their infrastructure against cyber threats and vulnerabilities. To learn more, please request a demo today.
This blog post originally appeared as a bylined article in SecurityInfoWatch on July 27, 2016.