Passwords have become a common topic in the news, with breaches from Twitter, Yahoo, and even Facebook highlighting their risks. If your password is stolen, malicious intent can rob your bank account blind or create extreme havoc on social media pages; especially for those in the public eye. As humans, we create passwords we can remember. Combinations of birthdays, loved one’s names, or even pets’ names. We use them to protect our bank accounts, social media sites, mail, and even our taxes.
The problem with passwords is we need so many of them. Potentially one for every resource previously mentioned.
In order to simplify our lives, we re-use them, and unfortunately we re-use them everywhere. This means that if your password is compromised in one location, hackers potentially can re-use them in every other place you have cloned its usage. This leads us full circle back to the potential malicious intent that can be exploited if only one place leaks that reused password.
Basic rules everyone should follow.
In order to combat this problem, we need to establish some rules of engagement for passwords and ensure their strength is sufficient. First here are some basic rules everyone should follow:
- Never re-use the same password between work and home
- Never re-use the same password for financial institutions and social media
- Never re-use the same password for an administrator account at work as your standard logon
- Never tell anyone your password. If you need to share it, change it when the other person is done with using it.
- Change your passwords frequently.
To that end, the passwords themselves need to be secure. The strength of a password should have several key attributes that make it more difficult to crack with traditional techniques including:
- Brute force – testing a password over and over again with combinations of characters (numbers, letters, and symbols) until one matches. This is why the length and potential types of characters to be included are so important. It makes the possible number of combinations potentially that much harder to test mathematically.
- Dictionaries - testing of the password with words in the dictionary, commonly used passwords like “Passw0rd”, or the default passwords manufacturers provide like “Cisco”.
- Social engineering – testing of a password based on known attributes about them including things like their birthday, anniversary, or even child’s name.
And once you finally select a password, its strength needs to observe these parameters:
- Length of the password – preferably over 12 characters
- Complexity of the password – must contain letters (upper and lower case), numbers, and symbols and have a minimum number of each
- Contain no repetitive characters
- Contain no human readable words, names, dates, or recognize context with the password
- Should not be reused from a previous time and date
- Should not contain sequences from a keyboard like ‘qwerty’ or ‘zxcvb’
Solutions for personal and business use.
With these in mind, it is very difficult for a person to remember passwords that have no rhyme or reason for creation. Especially for all the ones they need to create to meet every single one of these rules. Personal password managers help with this by creating random passwords that are nearly non-human readable and secured by only one password the user needs to remember. Something obscure and only used for the password manager itself.
For individuals, use a secure personal password manager to remember your passwords and create new randomized ones helps solve this problem. No two passwords are like, they are securely locked up in the cloud, and all you need to remember is your primary keychain password to access them. For businesses, the use of an enterprise password management solution for password tracking, release, randomization, and workflow solves this problem as well. Policies control all the parameters above and the passwords are always randomized and changed like clockwork.
Take my advice, folks, and don’t be the next victim.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
