Welcome back to our Security 101 series. We talk time and time again about making 2016 the year of multi-factor authentication. It’s really one of the best things you can do to help secure user logons. But, since it will require change and budget and we all know those are two things the company hates, let’s talk about passwords and what makes the difference between good ones and bad ones.
Good passwords don’t exist in dictionaries (of any language.) Passwords should appear random or at least not easily mapped to a common word, proper name, or anything else that might exist on a list used by dictionary attacks. “P@ssw0rd” may map to most organizations’ password requirements, as it includes all four types of character (upper and lower case letters, numbers, and punctuation) and is at least eight characters long, but it appears on practically every brute force tool’s dictionary list too. Simple substitutions like swapping in numbers or punctuation for letters can help make a password more complex, but you have to balance that with what is common. Purely random strings are more complex and difficult to brute force, but of course they are also more likely to be written down. You should also not include anything that indicates the system for which the password is set, so don’t use the word money in your password for your bank. Without running passwords through a checker, the best way to prevent dictionary words is to require complexity in the password policy. See below for more details on that.
Longer is better. That’s pretty straight forward. The longer the password minimums, the greater the number of possible combinations of characters an attacker must cycle through to find a match. If you use only letters in a non-case sensitive password, an 8-character password has 2 billion possible combinations and would take the most powerful super computer or distributed attackers less than four minutes to crack. A single modern machine might need 35 minutes to do the same. But if you made that same password, with only 26 possible characters to choose from, 15 characters long, you would have 1.6 sextillion possible combinations. A supercomputer would need 53K years to crack that, and a single computer would need almost half a million years to do the same. The password policy should set a minimum based on what meets the security needs of your organization and the sensitivity of the data, without being too onerous to users. 12 characters is a good compromise for most needs. One tip from Edward Snowden himself? Think of passphrases rather than passwords.
But of course, passwords are case sensitive, and there are far more characters available on a standard QWERTY keyboard than just letters. If you include upper case and lower case letters, numbers, and punctuation, there are 96 possible characters on a keyboard that can be entered just using a standard key with or without SHIFT. Using repeated characters compromises complexity, so don’t use the same character or even consecutive characters in a password. Passwords should use at least three of the four possible character sets, and the password policy should enforce that.
Passwords should be changed with some regularity and frequency. 30 to 60 days is a pretty good range for most needs, but if you are in a higher security setting, you may want to force changes even more frequently. For customers, you need to find a good balance between security and usability. A customer who shops with you once every couple of months and has to change their password every time may soon decide to shop elsewhere. You may want to enforce once a year for them, or at least suggest that they change their password but not require it.
Passwords need to be unique, both on the system they are set within, and across systems. You should not use the same password on more than one system, application, or social network, and you should not use the same password on the same system when prompted to change it. The password policy should require a new password with the change interval and remember at least the previous ten to ensure users are not cycling through the same password again and again.
Passwords must never be shared, ever. Administrators and support personnel must understand that there is never a situation where they should ask a user for their password, and end users must be trained that they should never give out their password to anyone, ever. They should also ensure that they never write passwords down.
Of course, a long and complex password that must be changed regularly and cannot be used on more than one system begs to be forgotten, or worse, written down, so ensuring users can remember passwords will help minimize that. Teach them to use passphrases that might mean something to them that makes it easier to remember, but won’t be readily guessable by someone who has access to their social networking information. For example, if you have an account at Amazon, think about something you only get there, or the first thing you ever got there, and use that as the basis for your password. I always buy my coffee there, so I create a password based on that-“IBuyc0ffeeHere.” Not including the quotes, that is a password that includes all four possible character types, is 15 characters long, and memorable. Of course, now that I shared that with you, I have to change it!
While using multi-factor authentication is the better way to go, when you just don’t have that option, creating, using, and enforcing good password practices can help with security. Use the guidelines above to help create a good password policy in your network, and to teach your users good password practices.