Passwords have become a common topic in the news, with breaches from Twitter, Yahoo, and even Facebook highlighting their risks. If your password is stolen, malicious intent can rob your bank account blind or create extreme havoc on social media pages; especially for those in the public eye. As humans, we create passwords we can remember. Combinations of birthdays, loved one’s names, or even pets’ names. We use them to protect our bank accounts, social media sites, mail, and even our taxes.
The problem with passwords is we need so many of them. Potentially one for every resource previously mentioned.
In order to simplify our lives, we re-use them, and unfortunately we re-use them everywhere. This means that if your password is compromised in one location, hackers potentially can re-use them in every other place you have cloned its usage. This leads us full circle back to the potential malicious intent that can be exploited if only one place leaks that reused password.Basic rules everyone should follow.
In order to combat this problem, we need to establish some rules of engagement for passwords and ensure their strength is sufficient. First here are some basic rules everyone should follow:- Never re-use the same password between work and home
- Never re-use the same password for financial institutions and social media
- Never re-use the same password for an administrator account at work as your standard logon
- Never tell anyone your password. If you need to share it, change it when the other person is done with using it.
- Change your passwords frequently.
- Brute force – testing a password over and over again with combinations of characters (numbers, letters, and symbols) until one matches. This is why the length and potential types of characters to be included are so important. It makes the possible number of combinations potentially that much harder to test mathematically.
- Dictionaries - testing of the password with words in the dictionary, commonly used passwords like “Passw0rd”, or the default passwords manufacturers provide like “Cisco”.
- Social engineering – testing of a password based on known attributes about them including things like their birthday, anniversary, or even child’s name.
- Length of the password – preferably over 12 characters
- Complexity of the password – must contain letters (upper and lower case), numbers, and symbols and have a minimum number of each
- Contain no repetitive characters
- Contain no human readable words, names, dates, or recognize context with the password
- Should not be reused from a previous time and date
- Should not contain sequences from a keyboard like ‘qwerty’ or ‘zxcvb’
Solutions for personal and business use.
With these in mind, it is very difficult for a person to remember passwords that have no rhyme or reason for creation. Especially for all the ones they need to create to meet every single one of these rules. Personal password managers help with this by creating random passwords that are nearly non-human readable and secured by only one password the user needs to remember. Something obscure and only used for the password manager itself. For individuals, use a secure personal password manager to remember your passwords and create new randomized ones helps solve this problem. No two passwords are like, they are securely locked up in the cloud, and all you need to remember is your primary keychain password to access them. For businesses, the use of an enterprise password management solution for password tracking, release, randomization, and workflow solves this problem as well. Policies control all the parameters above and the passwords are always randomized and changed like clockwork. Take my advice, folks, and don’t be the next victim.Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.