There is a bit of serendipity associated with World Password Day 2022. This year the day falls on May 5, the day before the first anniversary of the devastating Colonial Pipeline ransomware attack, which was initiated through a compromised password.
The combination of National Password Day and the Colonial Pipeline anniversary should help remind everyone that password security is incredibly important and ever evolving. This evolution is not necessarily due to any revelation the common user has had about creating their personal password.
Instead, the change is due to the constant advancement in technology and the ability of attackers to crack those passwords. Ten years ago, a six-character password like ‘Be4r$1’ would have taken the Cain and Abel tool about 93 years to break. However, now that same password can be figured out in about five seconds due to the availability of faster and more advanced processing speeds and the switch from utilizing central processing units (CPU) to graphics processing units (GPUs) to decipher passwords.
These technological advancements create a nasty conundrum for organizations. They must strike a balance between requiring long and secure passwords and not annoying their workers and slowing down productivity.
Long, complex passwords are cumbersome, and people can get aggravated by inputting them repeatedly. When IT requires computers to lock after five minutes of inactivity, staff often feel like they are typing ‘FRBuyps#6Ph3’ 50 times a day, which is probably true on some days, wasting valuable time better spent on other tasks.
However, there is a solution.
Many organizations get stuck evaluating whether password length or complexity is more important, with most preferring complexity. But what organizations and users miss is the fact that a very long password can be just as secure as a complex one and can often be easier to remember and input.
For example, ‘FRBuyps#6Ph3’ at current rates would take about 34,000 years to crack but would be agonizing for an employee to input each time a company computer is locked.
Instead of using ‘FRBuyps#6Ph3’, people use alternatives like ‘Summer#2002’, which satisfies complexity standards but are featured in every cracking dictionary in the world, making them easily guessed in minutes.
However, password length is one area where workers and the corporate IT team can find some common ground.
For example, ‘iHatemyc0mpanyspasswords~’, although very simple and easy to remember, would take somewhere in the ballpark of 7 quadrillion years to crack with today’s tools.
Security.org has a helpful password -strength tool to test your password. Please remember, if you choose to check your password’s strength, make sure only to use a trustworthy tool. Otherwise, you may well be giving your password to a threat actor who might quickly put it to use or place it into a password dictionary.
The final point to remember, is that what is secure today may not be secure tomorrow. This makes consistent security testing critical. In addition, hackers are always escalating and finding new ways to break both new and old security processes. Therefore, testing the waters periodically to ensure what you think is secure truly is – is paramount.”
Here are some top tips that we recommend all organizations follow to ensure they have a strong password security posture:
- Add complexity: Our researchers have determined that a password with eight characters could be cracked within just one day using brute-force techniques. It would take the same method hundreds of days longer to crack a 10-character password, and even longer if it also includes symbols, numbers and mixing uppercase and lowercase.
- Use passphrases: Believe it or not, a phrase (such as "GoodLuckGuessingThisPassword") that is very easy for the user to remember - but perhaps lacks complexity in the form of special characters - is actually much stronger overall.
- Change passwords frequently: Passwords should be changed every 60 to 90 days, depending on the sensitivity of the account (generic versus elevated privilege). And don't forget to avoid using the same password across multiple accounts.
- Salt and hash: While the combination sounds like something you might do in the kitchen, IT administrators should use unique, random "salts" when "hashing" stored passwords, whereby a piece of unique, random data is combined with each password before the hash is calculated.
- Implement strong password policies: Yes, password policies are incredibly important but often aren't used to their full capacity. The reason being is those complexity policies, specifically in Windows, don't take into account the context of a password, such as identifiers from the company, a company product, the city in which the company or the local sports team. Unfortunately, without a custom solution, most environments are at the mercy of, for example, Microsoft's password complexity policy in Active Directory.
- Audit passwords: Companies need to perform password audits to determine where the weak links are in companies. Oftentimes, the weakest link are the non-tech-savvy users, which are considered soft targets for attackers.
- Consider two-factor authentication: This technology supplements passwords by providing a second form of verification. Thus, if a user's password is compromised, the second factor (such as a token or a code sent to your phone) acts as another layer of defense.
10 Tips for Breach Resilience
The past year has resulted in organizations rapidly adopting new technologies despite declining budgets. How do you keep your organization secure when the evolution of infrastructure and threats both move at unprecedented rates?