Passwords – Hate Them or Love Them, You’re Stuck with Them
Passwords are the bane of every business and IT department. Employees hate them and do their best to circumvent best practices.
IT personnel can’t comprehend why employees hate them and what is so difficult about the implemented password best practices.
Business operators don’t always understand the consequences of a lax password policy.
I have visited a number of businesses where employee passwords were something along the lines of 123456. I have seen extremely careless password practice in law firms, health care providers, and business service agencies.
Some of them will even joke that their passwords are not the strongest.
Then there’s the dreaded sticky note.
Some businesses don’t even have passwords….on servers!
I get it. Passwords are a pain in the…..
Unfortunately, they’re not going anywhere.
There have been some cool advances in authentication. Biometrics, RFID cards, tokens, and QR codes to name a few.
If you have purchased a smartphone in the last few years you know that facial recognition and/or fingerprint scanning are now standard on most phones.
In the Infosec world, we usually get our guidelines and best practices from NIST. NIST recently published a study on whether recycling passwords worked.
Many businesses require you to change your password every 30 or 45 days and won’t allow you to reuse a password for 12-18 months.
It has been determined that this practice is not effective, meaning it does nothing to improve account compromise.
What it does do is ensure that any unauthorized individual who has gained access with a compromised account will no longer have access once that password is changed.
There have been lots of debates on what makes a secure password. Random letters/numbers/special characters are great but who can remember them?
Using something you can remember makes it easier to crack or even guess the password. I have guessed a network password for a major cable provider’s supposedly secured modem/router.
Things to consider include length, complexity, time until expiration, and account lockout rules.
Password Best Practices for Your Business
Despite the introduction of alternative authentication methods, passwords are still necessary. The alternative methods should be used as multifactor authentication (MFA). Meaning you should use a password and another method.
I will get to those methods in a few paragraphs.
Password Best Practices:
- Use Passwords of at Least 8 Characters – The more the better. For each additional character, the time it takes to brute force the password increases exponentially.A password of 8 lowercase letters can take 5 hours to brute force. By comparison, a password of 12 lowercase characters can take 200 years.
- Use a combination of UPPERCASE, lowercase, numbers, and special characters. Above I mentioned that a password of 8 lowercase characters can be cracked in 5 hours. If you add UPPERCASE, numbers and special characters it will take a lot longer.
- Enforce Complex Password Policies – Requiring (through settings on your network/server/workstations) complex passwords will also greatly decrease the likelihood of a compromise.Complex passwords mean in addition to requiring UPPERCASE, lowercase, numbers and special characters you also avoid dictionary words and variations, proper names, using the account name in the password, and reusing the same or similar passwords.
- Use MFA – there are a few different methods for multifactor authentication available. The most common is the use of a token.It is becoming more popular to use a soft token in corporate environments. Using an app on the employees’ phone that generates a time-based code is a cost-effective method to further secure your network. Keep in mind this is not the most secure of the MFA options but the easiest and least expensive to implement.
Other methods of MFA include a text message, biometrics (retina scanner, fingerprint, facial recognition) and RFID cards.
- Education – Educating your employees is always important when it comes to your business network security and should be included as part of any security policy.Implementing a policy without the proper education is going to prove ineffective.
Educate your employees on why password policies exist, how an account can be compromised and common things to avoid (like the sticky note)
- Additional options might include requiring a password change every 30-60 days, setting work hours (the account cannot log in outside a set time frame) and monitoring for suspicious account activity through log file monitoring.
Passwords are a necessary evil that is not going away anytime soon. It’s best to get comfortable with having to use them in a secure manner.
One last note. There are websites on the internet dedicated to hosting dictionary files filled with passwords that have been used, Security professionals and not so ethical people can purchase these lists to use for brute force attacks.
I recently discovered that a password I was using was on this list. I don’t normally use the same password in multiple places (call me paranoid) but this password was used in a couple of applications. The password consisted of a nickname of someone I know (that most people would not know) random numbers and a special character.
Needless to say, I do not use this password anymore. Using the exclamation point as your one and only special character seems to be the default for a lot of people. Don’t do it.
I should also note these password suggestions can (and should) be used on most internet applications today (Google, Facebook, PayPal, Banking, etc..)
Bottom line, make peace with passwords. They’re not going anywhere.
