Password Security: Useful Advice

Many hackers enter computer systems simply by guessing passwords, and with the top passwords of 2012, 2013 and 2014 being password, 123456 and 12345678, we’re not exactly making things difficult for them! (of 40 million Adobe account passwords leaked online, 2 million were 123456).

Increases in computer processing power makes cracking your password that much easier and faster.

pkq5jgcdees02krlfo0jAs they say, the best password is one that you can’t remember – using that approach, you should look to using a password manager,  such as Lastpass, Roboform or Keepass

However, even the best and strongest passwords can eventually be defeated mathematically given enough time and computer processing power.  Whilst the use of strong passwords acts as a firm deterrent against password guessing attacks, and buys additional time against other attacks, where possible, you’ll want to look at using two-factor authentication – that is something you know (a password), and something you have (ie. a mobile phone).

When you login to a site that supports two-factor authentication (such as a bank), you’ll enter your password, and a one time generated code generated via either a text message or an app on your phone.  As codes are generally refreshed every minute, even if a hacker had obtained your password,  they wouldn’t have your one time password.

Have I Been Pwned?

It seems like that with every day that passes, some organization has had its customer database hacked and the details of which have been posted online for everyone to see.

The site HaveIBeenPwned.com (created by security expert Troy Hunt) allows you to check whether your account information has been leaked online from one of many hacker attacks.

You’ll then have a good idea of where you need to update your account passwords.

haveibeenpwned

When not to… Reduce, Reuse, Recycle

Recycling.  We all know it’s a good thing.  Except when it comes to password security.

One thing recent hacker attacks have shown us is that its common for people to use the same password, or only slight variations of it for many websites.  Once a website has been hit, that website account password is almost certainly the same for another website account.

Always use different passwords for every site.  Not just variations of the same password (ie Password1 for Facebook, Password2 for Twitter….).  This will ensure that if & when a website gets hacked, only that one site’s password is compromised.

recycle%20symbol

Think Passphrase, not Password:

A common complaint I get in the corporate world is from end users is that complex passwords are difficult to remember (obviously use a password manager where possible – but this isn’t an option if logging onto a corporate network).

Rather than remembering a complex password, it would be easier to remember a sentence, or several whole words (end users tend to write complete passwords on post-it notes stuck to their laptops).

Combine words such as an activity you enjoyed as a child followed by the place that you performed the activity.

Beef the password up a little with caps, numbers and symbols.

ie.  footballexeter might become F00tb@113x3t3r

However, it is no longer acceptable to simply just replace letters with symbols.

Hackers are now fully aware of our password habits and have now factored in these simple letter substitutes into their password cracking algorithms.

For example, replacing letter:

a” with “@

o” with “0

I” with “1

s” with “$

Likewise, always starting with a capital letter and ending with a number has become common and has been factored into hacking algorithms. In this case:

F00tb@113x3t3r might well become 1fO0tB@1lEX3T3rZ

Have a look on the popular password strength analysis site: HowSecureIsMyPassword?  This will give you an indication of how long it will take to crack your password (remember – that’s an indication, not a guarantee, and based on the cracking ability of a common desktop computer,  not the cracking ability of a hackers server farm).

Microsoft Research have a portal that will try and predict your password based on the last letter you typed.

telepathwords

Remember:

  • 61% of consumers reuse passwords between sites.
  • 76% of network intrusions exploit weak or stolen credentials
  • 66% of consumers never change their password.

 

Summary:

DO’S

DONT’S

  • DO use a password with mixed-case letters. Do not just capitalize the first letter, but add UPPERCASE letters throughout the password.
  • DO use a password that contains alphanumeric characters and include punctuation and symbols, (where supported by the website or operating system)
  • DO consider using a sentence for your password.
  • DO aim to use at least fourteen characters in your password. Aim for twenty to thirty characters if you can.
  • DO use a seemingly random selection of letters and numbers.
  • DO use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard (also known as “shoulder surfing”).
  • DO change passwords regularly (more than once a year). This change stops someone who has already compromised an account from continued access.
  • DO use a secure password manager such as LastPass, Roboform or Keypass
  • DO use two factor authentication wherever possible.
  • DO be aware of phishing emails. Be vigilant! Inform your bank or IT department immediately.
  • DO be aware of social network engineering attacks – scams designed to obtain logon credentials, or attempt to inject malicious code into your browser
  • DON’T use single dictionary words. These are easily broken using basic dictionary attacks.
  • DON’T use keyboard sequences, e.g., qwerty, abcd or 1234.
  • DON’T reveal a password to anyone. Not even your mother.
  • DON’T use your first, middle or last name or anyone else’s in any form. Do not use your initials or any nicknames you may have.
  • DON’T use a network login ID in any form (reversed, capitalized, or doubled as a password).
  • DON’T write a password on sticky notes, desk blotters, or calendars.
  • DON’T reuse passwords across multiple websites and web services
  • DON’T simply add a Capital letter to the start of a password, and end in a number. These passwords are easily broken.
  • DON’T only use words found in common films or music, or use popular names of hobbies.

Probably the best piece of advice for everyone,  stay educated, stay informed, take a look at ESET’s We Live Security site.

Also, head over to Microsoft’s Security Centre , OpenDNS Security Labs and Malwarebytes Unpacked for further info.

Download the handy Password poster for your office wall.

the-server.ninja

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s