A lack of password security can be the cause of untold damage to the data and systems of companies throughout the world.
Passwords are often related to something specific to the person using or accessing the system. Their passwords are often set to common words, phrases, or patterns so they are not forgotten. Whilst this is helpful to the system user, it is even more helpful to the person trying to steal valuable data.
This blog post sets out some do’s and don’ts for the creation of more secure passwords and will ensure your potential cracker looks past you, for an easier target. However, do remember that no password is 100% secure.
Weak Passwords
Here are a few things that you should not do when it comes to creating a password. General Passwords should not be set to names, known words or phrases, and should be at least 8 characters long. These characters should be a mixture of alphabetic, numeric and keyboard symbols such as $.
Additionally, it is bad practice to use common dictionary words and common passwords such as support, user, password, Fred, etc. An attacker can guess these easily, leading to a server or system compromise. Moreover, it is also bad practice to set passwords to the username spelt backwards. For example username admin – password nimda.
It is worth bearing in mind that a brute-force attack is by far the first and most common method used by crackers to try to penetrate a system.
Usually, attackers target common users first. Then, using his/her access to the operating system, a hacker will then try to escalate their privileges. Once the attacker has cracked the root password, the server/system is available to the attacker to use as they wish. So, good password policy and strong passwords are critical for security on any computer.
What does a poor password look like? Well, poor passwords have the following characteristics and should be avoided. (Read DO NOT USE).
- “password” as password.
- The name of the computer.
- A well-know name from science, sports or politics.
- A word found in ANY dictionary.
- Anything that is part of the user website.
- Have a password of less than 8 characters.
- Common usage words such as:
- Names of family, pets, friends, co-workers, fantasy characters, etc.
- Computer terms and names, commands, sites, companies, hardware, software.
- The words “Company Name”.
- Birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above spelled backwards.
Strong Passwords
Your password is your first line of defence against an attacker. So, it is important to make your password a secure as you possibly can.
With that in mind, let’s look at the characteristics of strong passwords:
- They contain both upper and lower case characters (e.g., a-z, A-Z).
- They consist of digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{} []:”;'<>?,./)
- They are at least ten alphanumeric characters.
- They are not a word in any language, slang, dialect, jargon, etc.
- They are not based on personal information, names of family, etc.
Remember, you should never write your passwords down or store them online. Try to create passwords that can be easily remembered. One way to do this is to create a password based on a song title, affirmation or another phrase though not the phrase itself. For example, the phrase might be: “This May Be One Way To Remember” and the password could be: “TmB1w2R!” or “Tmb1W>r~” or some other variation.
NOTE: Do not use either of these examples as passwords!
Password Protection Standards
Do not use the same password for company accounts as for other non-company access. E.g., personal ISP account, etc. Where possible, don’t use the same password for various company access needs. For example, select one password for the accounts system and a separate password for IT systems.
Do not share company passwords with anyone, including administrative assistants or secretaries. Everyone should treat all passwords as sensitive, confidential company information.
A prime example of poor password protection is the recent Sony Pictures hack. In short, the hackers found some documents on Sony’s Estate, including:
- Over 700 documents containing passwords.
- Spreadsheets and Word files titled “FTP passwords”, “ResearchPasswords”, “ACCOUNTING PASSWORDS,” and “Personal passwords”.
- Password protected documents—with their passwords in their names. (PASSWORD PALABRA SECRETA NISSAN.xlsx, PwC 2007 Report_PASSWORD_pwcemc60.pdf).
- IT audit documents (PASSWORD EQUAL TO USER NAME.xls, ACCOUNTS WITHOUT PASSWORDS.xls).
So, in light of the Sony Pictures hack, here are some things you should not do with your passwords:
- Don’t reveal a password over the phone to ANYONE, EVER!
- Don’t reveal a password in an email message.
- Don’t talk about a password in front of others.
- Don’t hint at the format of a password (e.g., “my family name”).
- Don’t reveal a password on questionnaires or security forms.
- Don’t reveal a password to co-workers.
- Do not use the “Remember Password” feature of applications (e.g., OutLook, Messenger, etc).
- Do not write passwords down and store them anywhere in your office. Do not store
passwords in a file on ANY computer system (including mobile devices) without encryption.
If someone demands a password, refer them to your head of IT, head of Personnel, or one of your company directors.
Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including mobile devices) without encryption.
Changing Passwords
You should change passwords at least once every six months. However, you do this more frequently if your company policy states so.
Password creation should be under the control of one or two senior technical members of staff within your organisation.Regular checks should be carried out. Any findings should be documented and reported to Senior Managers or Directors within the organisation. This ensures that the employees are adhering to the minimum standards.
If an attacker has compromised your server or systems due to an insecure password, then a clean up may not always be possible. It may be necessary to completely rebuild the server. This could cause possible inconvenience to your customers and colleagues. Worse still, this could lead to potential loss of credibility for your company. Ultimately, this could result in a reduction in income for your business.
Password Protection
Remembering a secure password is not easy. However, there are services that can help. Services, such as LastPass, use encryption to secure your passwords. The encryption can be quite complex. One Way Salt Hashes is one form of encryption that services like LastPass secure your data. Alongside encryption, they also use another layer of security called 2 Factor Authentication.
2 Factor Authentication
This is another level of security that you could use alongside your strong passwords. Two-factor authentication provides unambiguous identification. It uses a combination of two different components. A good example from everyday life is the withdrawing of money from a cash machine. You need the correct combination of bank card and PIN. Another example would be accessing a service on your phone. In most cases, you have to enter a PIN that is sent to your phone via SMS message when you attempt to login on from your new device.
Additions to 2 Factor Authentication
For additional security, alongside 2 factor authentication, some services are adopting the Google Authentication App. The process is similar to the regular 2 factor process. However, instead of the site you are visiting generating the authentication pin, the app generates the pin for you. The app creates a different six-digit number for each of the sites that are connected. The app generates a new number sequence for each site every 30 seconds. So, with this app, you don’t have to wait for a text message to come through with the pin that you need to access the site.
Here’s how you can set up your Google Authentication App.
Summary
The bad news is that simple measures, such as those mentioned above, are rarely enforced by businesses. This leaves them exposed to even the most basic of hacks.
Take immediate action to create and install a password policy and authentication procedure. You can start simply and enhance as you go along. After you have implemented your policy, set up a process for regular audits and reviews of weaknesses identified.
Remember, a strong password policy is a vital component in your data security policy.
Call a Reconnix consultant on 08454210444 to see how we can help.
What would you add to the suggestions above? Do you disagree with any of the strategies we have suggested? Let us know, leave a comment below!