Password Security Advice for Users and Enterprises
By Victor Garcia
Password management remains a constant nuisance for users, and a security risk for businesses and organizations. There are basic steps the employees of your business can take to protect themselves and improve their password security practices.
This blog offers an entry-level view of current best practices for password security; however, changes to password security policy are coming on the enterprise level. Look for an upcoming white paper from Sword & Shield Enterprise Security Inc. on the latest National Institute of Standards and Technology (NIST) digital identity guidelines.
The human factor
Security breaches can result from employee mistakes or failure to follow policies. With all the credentials for separate accounts that a typical worker must juggle, it can be easy to rely on a handful of easily remembered passwords.
Even IT security professionals can be lax in maintaining proper security hygiene in their personal lives with nearly 30 percent of participants in a survey conducted in February 2017 saying they used “birthdays, addresses, pet names, and children names” for social network passwords.
Passwords based on personal information that can be found on social media sites such as Facebook or LinkedIn or through public records are unsafe. A skilled hacker can research personal information online and use it to make educated guesses about passwords.
In fact, social engineering has become such a threat that NIST has begun advising organizations to stop allowing login applications to store password hints for account holders, especially those related to personal information.
Therefore, do not use anything as a password that can be tied back to your personal life. Here are some examples:
- Personal or family name
- Date of birth
- Names of family members
- Pet names
- Home address
Remember: You could be setting yourself up to be compromise if you use easily guessable personal information in a password. Hackers are smart. Your personal information is available in public records as well as on social media. Don’t give anyone an easy way to compromise your security.
Best practices for password composition
Currently, many companies are not using best practices for password security. Typically, organizations leave password choice to the end users. From an IT policy perspective, password security can be improved by managing what users can define as their passwords. By doing this, it makes it harder for hackers to use “brute-force” attacks, which consists of trying many passwords or passphrases, with ultimately guessing the correct password, allowing account compromise due to weak password complexity.
A strong password includes the following characteristics:
- Upper-case and lower-case letters
- One or more numerical digits
- Special characters such as #, $, %
The minimum password length should be more than 12 characters and should not include personal information – including license plate numbers – or use common words or numbers.
The more characters used in a password, the harder it is for hackers to guess or to use brute-force methods to crack. For instance, it would take decades, using current technology, to crack a 15-character password that adheres to best practices.
If you have more than one account to manage, do not store your passwords and credentials for your accounts in a text file and save on your computer, especially if the title of the document contains tell-tale names such as “passwords”.
There are software applications that can make it easier for individuals to manage their passwords securely. Password managers store your login information and assist you in keeping your passwords safe. This is typically achieved by storing your passwords in an encrypted database, that only you can access. Password managers are essentially centralized databases that allow the storage of all credentials, and can only be accessed by using one master password.
By using a password manager, you can generate secure passwords for multiple accounts without having to remember each individually.
Using best practices for password composition does not deter an increasingly common security threat: phishing.The NIST defines phishing as: “A digital form of social engineering that uses authentic-looking —but bogus— emails to request information from users or direct them to a fake Web site that requests information.”It doesn’t matter how long and complicated the password being used is if your employee falls for a fraudulent email from a supposedly trusted source and hands over their credentials and login information to a bad actor.
The best defense against phishing and other social engineering attacks is consistent employee awareness training.
To increase their chances of successfully cracking a password, hackers can employ automated brute force attacks that use combinations of millions of words and phrases found in online dictionaries or in dumps of compromised passwords from previous data breaches.
Company computer systems can be secured against brute force attacks by corporate IT departments through two simple steps. First and foremost, change your requirements regarding password complexity. You can also take it up a notch and limit the login attempts allowed. Be sure to limit a user to three login attempts. Once that is exceeded, the account should be locked out.
Limiting login attempts will make it harder for a hacker to compromise a corporate account. By enforcing a strong and complex password to the end user, the chance of the password being cracked are slim to none, thus making your enterprise environment more secure.
In addition to a strong password, we also highly recommend two-factor or multi-factor authentication. In this approach, authentication requires not only credentials such as username and password but the use of something that only the user has physical possession of. This step often involves a device, such as a smartphone in order to receive a text, or a biometric factor, such as a fingerprint, for confirmation. This provides an additional layer of security. By implementing two-factor authentication, the chances of an adversary compromising an account are lowered since username and password alone will not allow access to the targeted account.
Victor Garcia is a security analyst for Sword & Shield Enterprise Security. His primary role consists of conducting network vulnerability assessments, penetration tests, and web application assessments but also performs firewall configuration audits, wireless assessments, and social engineering engagements.
He has more than 7 years of experience in the technical field in roles such as help desk, network and system administration, auditing, and information security.
Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions.