If there’s one question we are asked at Cyber Partners in cyber training and awareness sessions more than most it’s ‘what’s a good password’.
Passwords remain the bedrock of device, system and application security to control access, confidentiality, integrity and availability even in these tech-heady days of 2020. Whilst hardware device vendors edge us towards biometrics (fingerprints, face scans, etc) passwords are ubiquitous and will be so for many years to come.
The fastest way to get hacked and risk identity theft or data breach is poor password hygiene. It doesn’t matter who you are or what you do, if you don’t follow some basic steps, then you are at risk, same as everyone else. In short you need to take care of your passwords like you would your payment cards or passport.
So, here’s Cyber Partners’ definitive “magnificent seven” guide to great password security (including what to do with those high value admin passwords that really are the keys to your kingdom):
- Never, ever share your passwords – ever.
And one more time for emphasis – never. Your password is what makes you accountable for the actions taken under your account. Socially engineering a password out of someone is often much easier than phyically hacking their account. Most *ishing schemes (phishing, vishing,etc) trick you into giving up your password in some way or another, because we are gullible like that.
- Only use long, strong, totally unique passwords.
Computers running free password cracking software (yes, there’s lots of it available – just Google it) will take seconds to crack a weak password. Long ones however could take centuries or even millennia. Frankly, hackers haven’t got the time or patience and settle for easy pickings so don’t make it simple for them. The three most important things to remember:
- Each character increases complexity exponentially. This is why passwords typically have a minimum requirement of 8 characters (14 or more is better – see the graphic at the top of this post).
- Character sets. Each character set has a certain number of permutations. There are 26 lowercase letters, 26 upper case letters, dozens of special characters like @#$^%!, but only 10 digits (0-9) – which is why 12345 is terrible, but ‘IHaveALongPa55Word’ is excellent.
- Common words. Brute force isn’t the only method to crack a password. A computer can run a “dictionary attack” against a password very quickly, testing for all real words, of which there are relatively few, compared to the huge number of character permutations possible. Password is a terrible password.
Here’s the science:
If an eight-character password has a combination of at least both upper and lowercase letters and a number that means it has a combination of 62 unique, reusable characters – or mathematically that’s 62 to the 8th power, or 2.1834011e+14 possible combinations…which will take decades to crack even on a fast processor machine. Include a special character to increase complexity and more digits and numbers and chances are your passwords won’t get cracked until the end of time. Rough rule of thumb – a complex password using all four character sets of 14 characters ling will take roughly a billion years to crack. The more important something is, the better the password should be – read about ‘Admin’ passwords at the end of this guide.
- Never Reuse Passwords
One unique password per site, device or application – long and complex. That’s the rule.Period. That way if you password does get compromised or stolen, you only have one of your logins at risk – not all of them. Identity theft happens because people lose one password which unlocks all their sites – from Facebook to their bank, social security numbers and superannuation.
4. Set a reminder to change your password
The more often you change your password, the smaller the window for a compromised password to be used. This is why high security systems use randomly generated numbers that change every few minutes as part of their authentication process. Changing your password on a regular basis may seem annoying (and yes it its), but it’s nothing compared to dealing with a compromised account, identity theft, or credit card fraud. So suck it up and accept that if you use passwords, you have to change them from time to time.
If you subscribe to https://www.haveibeenpwned.com you can find out if your user credentials and passwords have been caught up in someone else’s data breach – if you are still using the same password from 2012 that got caught up in a very old data breach (like the big Linkedin one where nearly 120M passwords were leaked online) then you really do need to change your password. The point is that your password has been exposed on the Dark Web for more than 8 years for a hacker to by and use. And if your Linkedin password is the same as all your others (like your bank, social security, superannuation, etc) then you are in trouble. Changing them every six months is a good rule of thumb. Or immediately after you get notified of being stolen in a data breach (as I say, subscribe to haveIbeenpwned and the site will tell you if you are in a breach). Some encrypted password storage applications like Dashlane offer the same functionality.
- Secure your password reset options
This step protects you against people, rather than computers, trying to hack your account. Be thoughtful with how your password can be reset. Security questions and answers should not be information that is publicly available, easily searchable or widely known to people who know you. Many people’s accounts are hacked by people they know in real life. If you have an email account where a password reset request will be sent, make sure you have sole access to that account and that it too has a strong password. Don’t answer any of those fun-looking facebooks quizzes either – one moment they are asking you for your favourite colour, the next they are asking for the road where you grew up and your mother’s maiden name. These are often data-harvesting programs looking to get answers to all those ‘security questions’ you put in when you forget your password.
- Use an encrypted password manager
You can use a password manager to store your passwords for you – options include Dashlane, OnePass and LastPass work from any computer with internet access. There are pros and cons to this method.
Pros: Don’t have to remember them all *(you will probably have hundreds of sites to remember if you are anything like me) and they give you lots of time back in nor remembering and typing in passwords. They can also set your passwords for you meaning you never have to set one again and you only have to set one – the master password. Needless to say this is REALLY important so make it really long strong and unique.
Cons: Single point of compromise – so as above we will state again that you must make sure it’s protected with a really, really good password and 2FA as well (biometrics, etc). Password managers are not totally foolproof (LastPass got hacked back in 2015) – you are outsourcing password protection to a program after all. But they do offer a level of encryption and substantially solve a particularly challenging problem.
By the way – storing passwords in browsers is an absolute 100% no in our view – and all the main browsers have password storage facilities and helpful pop ups asking you ‘do you want to store this password for the future?”. Well, would you trust Google Chrome to store anything secret given what their business model actually is? You may well say ok, but we don’t. It’s too easy for someone to shoulder-surf and get access to an open browser session if you leave the screen unattended and therefore your passwords. And if your laptop does get stolen, then the thief has access to everything in your browser extensions if you haven’t encrypted it or locked out the screen as you ought to (see our 60 second guide to basic security on devices).
- Use two-factor authentication everywhere
So important we will say it three times. always, always, always. Probably one of the most important mechanisms available, 2FA, as its name implies, prevents the compromise of a single authentication factor (the password) from compromising the account. The mechanism typically works by requesting the traditional login information, then sending a confirmation to a device, usually a smartphone, such as a text, phone call, or in-app security verification screen.
Ideally, only the authorised person would have the smartphone and could then accept or reject the authentication requests as necessary. More advanced mechanisms can require bio-authentication, such as a fingerprint swipe, which prevents lost or stolen phones from being used to falsely issue confirmations.
Most cloud apps offer 2FA now, with many traditional applications following suit. It’s worth taking a few extra seconds every time you login to know that even if your password is hacked, nobody can access your accounts. Always put 2FA in place wherever it if offered. If an app doesn’t offer it then consider if you really want to use it.
And now for Corporate IT and Administrative user accounts…
Admin accounts have access to your most valuable information assets. So, these need special care and rules. We recommend that passwords are a minimum of 14 characters utilising both upper and lower cases, numerals and special symbols. They do not have to be specifically random as it is more important that they be acceptably strong and easily remembered by users. Suitable, and easy to remember passwords would be something like:
%Speedy^6RaCer7 “speedy racer” This is a good password and easy to remember.
Random-Koala1945! Random years are ok, but avoid birthdates or the current year.
Remember, admin passwords are for restricted users only. The passwords MUST be different to the password the user has on the IT network domain.
- For Administrative users, create accounts prefixed by “admin-“ such as admin-%username% so that the privilege escalation event is logged and tied to a specific user. It is recommended that Domain Administrator accounts have passwords different to the user accounts are changed more regularly (every 30-60 days).
- User Account lockout should be set at 10 attempts, as is sufficiently enough for most people to realise they have forgotten their password and low enough to lock out on any automated attempts to access the account.
- The password expiry should be set as a matter of course based on policy – no more than 12 months is acceptable for standard corporate IT accounts, with a 3-month automated reminder set.
- Administration (admin-%username) passwords should expire every 30-60 days.
- Domain administrator (Administrator) account name should be changed (ie: “Supervisor”, “Global_Admin” etc.) and the password be sufficiently random & complexity of not less than 15 characters.
- H^d882_01v.>/q.q@7Z1!C <- example of suitable password for Administrator
- Domain Administrator password distribution should be closely controlled with a list of persons who have had access. The password must be changed every 12 months at a minimum or immediately when a staff member who had access leaves the organisation.
- Do not use these credentials for system service accounts
- Do not use these credentials on any other system
- If simplified passwords become a requirement, implement only with multi-factor authentication.
- Any accounts not used in 90 days past expiry should be disabled.
- Accounts not used for more than 6 months past disablement should remain disabled and moved to a separate Organisational Unit for ex-staff.
- When staff or contractors cease working for the organisation their accounts should be immediately disabled in moved to an OU for ex-staff.
- DO NOT DELETE old or disabled accounts and corresponding SID, unless it has been determined that account permissions have been completely removed from throughout the environment and the account will never be used again.
- Password history should be set high (≥20). It is not advisable to ever re-use the same password.
Go safely – it’s a hyper connected world!
The Cyber Partners Team.