People and Passwords
John Alves
Security Architect | GIAC x6 | MCT | SANS TA | MSFT x8 | The Lowdown Lab | Driving innovation and adoption of cloud security.
In today's world, the Internet is a vast place filled with websites, services, and other content. Most content along with computers and other technology requires a password. The number of passwords a person has to know continues to grow. While it’s safe to say we use passwords to keep your accounts confidential, they can also be very frustrating and inconvenient to create and remember. The outcome is the use of simple, common passwords, same password on different accounts, and habits such as writing passwords.
Weak passwords are common
For example, reports from Techspot.com, Fortune.com, and USAToday.com show, that in 2017, passwords like 123456 and football were two of the top ten most used passwords. Why are such passwords still being used? They are easy to remember. People will often add weak passwords into simple variations where the alpha and number (numeric) strings combined with special characters. For instance, Football and 123456 become Football123456!, a memorable yet easily guessed password.
Current practices require complex passwords
Various companies have released their own best practices. Symantec’s how-to article, for instance, states a secure password is at least eight characters in length, has an uppercase, lowercase, and a number. Take [Football] for example. You can replace the “o” for a “0” and “a” for “@” resulting in F00tb@ll. Here, the updated password meets most policies enforced by many web applications such as Google and Outlook. It has an uppercase (F), a lowercase (tball), a number (00), a special character (@), and meets a minimum length of eight characters. Microsoft, however, takes this a step further in some of their guidelines. They state it must not be in the dictionary or incorporate the name of a person or computer. Guidelines such as those in place, demand a complex password. For example, W#T24.ro5*&F is complex yet painful to memorize.
There is a problem with difficult passwords
People, out of convenience and frustration, will try to circumvent password policies the mentioned. This becomes more prevalent as the policies get stricter. It is hard enough to remember a password like W#T24.ro5*&F. By the time you’ve memorized it, the time has come to change it and you can’t repeat the last 8 passwords. So what do people do? They add or change one or two characters (i.e. W#T24.ro5*&F turns into W#T24.ro5*&F1 or W#T24.ro5*&F123 and F00tb@ll turns into F00tb@ll123 or F00tb@ll321). While password expiration policies are arguably a best practice, they are not common outside an enterprise environment. Many websites, such as banks, do not require you to change your password regularly and those that do, might not have a decent policy on repeating passwords. This leads to the same or similar passwords used across accounts.
The same password for different accounts is dangerous
Research by LastPass states 59% of people use the same password and 47% apply the same even for work. Notably, the reuse of passwords stems from frustration and convenience. Sure, it's easier to remember one password for everything or variations of the base password, but not advised. To clarify, if an account gets compromised, it puts your other accounts at risk.
Using Passphrases is better
We have a hard time remembering many passwords and more so when they have to change often. Similar to starting a different job and learning coworkers' names. Then you find out 60 days later that everybody is being replaced and you now need to remember a different collection of names. It's difficult. For starters, use a passphrase that includes numbers. A passphrase is a password in usage but is longer for added security. For example, 2Cats3DogsRunFar is an easy to remember passphrase. It is a 16-character alpha-numerical password. Why add a number, aren't four or five words enough? No, because modern toolkits can crack a passphrase with four to five words. Adding a number (not just at the beginning or end), or even a space will strengthen the password while keeping it easy to memorize. NIST 800-63-3 supports the use of passphrases. Encourages users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
What about password managers?
At the same time, we cannot use this passphrase for other accounts. Instead, use a password manager which will accommodate for having a different password for each account. A password manager is a tool or service that will store your passwords for later use. An example of a common password manager is your browser. I will point out it is not recommended to use your browser's password manager. Some password managers offer free or inexpensive versions. LastPass and RoboForms to name a couple; EverKey, Keeper, and DashLane are pay-to-use.
Be responsible with your passwords
All things considered, having the best passwords does not mean you are 100% immune. Password hashes are stored and anything stored can be stolen. Strong passphrases make it more difficult for a malicious actor. You can use password managers to store passwords but this itself can be risky. For example, browser password managers do not require multi-factor authentication. Remember not use words or dates that can be guessed via social engineering. If a website such as a bank, offers mutli-factor authentication then enable it. Overall, passwords can be a nuisance but dealing with compromised accounts can be much worse.
About the Author: John Alves
John is a Sr. Network Engineer and Lead Security Analyst for a National Retail company. As a cybersecurity enthusiast, he recently started CyberLowdown.com (site under construction as of this article) to share both his personal and career experience and growth in the cybersecurity space.
Follow on:
Contact:
Security Architect | GIAC x6 | MCT | SANS TA | MSFT x8 | The Lowdown Lab | Driving innovation and adoption of cloud security.
6 年It’s harder to implement for smaller growing business that don’t have a proper domain set ups but great to have. I have had to go through that.
Security Architect | GIAC x6 | MCT | SANS TA | MSFT x8 | The Lowdown Lab | Driving innovation and adoption of cloud security.
6 年I have used Okta and liked what I saw. Now Okta SSO reminds me of an App server. You log in through the portal and click on the app/ service you want to access.
Senior National Field Account Executive @ MicroAge | Advisor | Director | Cloud, Collaboration, Security, Data Center, IRONMAN
6 年Good article! What is your take on single sign on solutions?