Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

World Password Day 2022: Best Practices for Keeping Your Organization Safe

There is a bit of serendipity associated with World Password Day 2022. This year the day falls on May 5, the day before the first anniversary of the devastating Colonial Pipeline ransomware attack, which was initiated through a compromised password. 

The combination of National Password Day and the Colonial Pipeline anniversary should help remind everyone that password security is incredibly important and ever evolving. This evolution is not necessarily due to any revelation the common user has had about creating their personal password.

Instead, the change is due to the constant advancement in technology and the ability of attackers to crack those passwords. Ten years ago, a six-character password like ‘Be4r$1’ would have taken the Cain and Abel tool about 93 years to break. However, now that same password can be figured out in about five seconds due to the availability of faster and more advanced processing speeds and the switch from utilizing central processing units (CPU) to graphics processing units (GPUs) to decipher passwords.

These technological advancements create a nasty conundrum for organizations. They must strike a balance between requiring long and secure passwords and not annoying their workers and slowing down productivity.

Long, complex passwords are cumbersome, and people can get aggravated by inputting them repeatedly. When IT requires computers to lock after five minutes of inactivity, staff often feel like they are typing ‘FRBuyps#6Ph3’ 50 times a day, which is probably true on some days, wasting valuable time better spent on other tasks.  

However, there is a solution.

Many organizations get stuck evaluating whether password length or complexity is more important, with most preferring complexity. But what organizations and users miss is the fact that a very long password can be just as secure as a complex one and can often be easier to remember and input.

For example, ‘FRBuyps#6Ph3’ at current rates would take about 34,000 years to crack but would be agonizing for an employee to input each time a company computer is locked. 

Instead of using ‘FRBuyps#6Ph3’, people use alternatives like ‘Summer#2002’, which satisfies complexity standards but are featured in every cracking dictionary in the world, making them easily guessed in minutes. 

However, password length is one area where workers and the corporate IT team can find some common ground.

For example, ‘iHatemyc0mpanyspasswords~’, although very simple and easy to remember, would take somewhere in the ballpark of 7 quadrillion years to crack with today’s tools.

Security.org has a helpful password-strength tool to test your password. Please remember, if you choose to check your password’s strength, make sure only to use a trustworthy tool. Otherwise, you may well be giving your password to a threat actor who might quickly put it to use or place it into a password dictionary.

The final point to remember, is that what is secure today may not be secure tomorrow. This makes consistent security testing critical. In addition, hackers are always escalating and finding new ways to break both new and old security processes. Therefore, testing the waters periodically to ensure what you think is secure truly is – is paramount.”

Here are some top tips that we recommend all organizations follow to ensure they have a strong password security posture:

  1. Add complexity: Our researchers have determined that a password with eight characters could be cracked within just one day using brute-force techniques. It would take the same method hundreds of days longer to crack a 10-character password, and even longer if it also includes symbols, numbers and mixing uppercase and lowercase.
  2. Use passphrases: Believe it or not, a phrase (such as "GoodLuckGuessingThisPassword") that is very easy for the user to remember - but perhaps lacks complexity in the form of special characters - is actually much stronger overall.
  3. Change passwords frequently: Passwords should be changed every 60 to 90 days, depending on the sensitivity of the account (generic versus elevated privilege). And don't forget to avoid using the same password across multiple accounts.
  4. Salt and hash: While the combination sounds like something you might do in the kitchen, IT administrators should use unique, random "salts" when "hashing" stored passwords, whereby a piece of unique, random data is combined with each password before the hash is calculated.
  5. Implement strong password policies: Yes, password policies are incredibly important but often aren't used to their full capacity. The reason being is those complexity policies, specifically in Windows, don't take into account the context of a password, such as identifiers from the company, a company product, the city in which the company or the local sports team. Unfortunately, without a custom solution, most environments are at the mercy of, for example, Microsoft's password complexity policy in Active Directory.
  6. Audit passwords: Companies need to perform password audits to determine where the weak links are in companies. Oftentimes, the weakest link are the non-tech-savvy users, which are considered soft targets for attackers.
  7. Consider two-factor authentication: This technology supplements passwords by providing a second form of verification. Thus, if a user's password is compromised, the second factor (such as a token or a code sent to your phone) acts as another layer of defense.

17908_10tipsbreach-webinar-cover-1
WEBINAR

10 Tips for Breach Resilience

The past year has resulted in organizations rapidly adopting new technologies despite declining budgets. How do you keep your organization secure when the evolution of infrastructure and threats both move at unprecedented rates?

Latest Trustwave Blogs

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More