OR No Hate Mail, Please – You Need To Hear This
Julian Assange. Colonial Pipeline. Edward Snowden. What do they all have in common? All involved the compromise of weak passwords and little social engineering.
I Know Your Password – Comedian Michael McIntyre nailed it. You’ve likely taken a capitalized dictionary word, added a number, then an (!). If that resembles your password, time for a change. Thanks to rainbow tables and password cracking programs building dynamic password lists, your password better not even look like a real word in your own language.
Extend It – The easiest option to avoid brute force cracks is to extend the length of your password. You exponentially increase the possible passwords with each additional character. Passwords with eight characters of lower and uppercase letters, numbers, and special characters provide up to 6.6 QUADRILLION (6,600,000,000,000,000) possible options. This is called expanding your search space.
MATH! – 26 lower case letters, 26 upper case letters, ten numbers, and 33 special characters. You have 95 possible options for each character of the password. If your password is eight characters, that’s 958, or 6.6 quadrillion possible combinations. Sounds impressive, but the new gaming computers can brute force 3.5 BILLION passwords per second. That’s still 22 days, but password cracking typically only requires half that, called the average attack space. A 9-character password has 630 quadrillion potential passwords and cracks in 2,084 days. We recommend 15-character passwords that, if complex enough, would take 4.2 trillion years!
Search the Keyboard – Lazy people pick passwords with words in their native language or common passwords. Short, unrelated words used together with numbers and special characters are all the rave. An alternative uses the acronyms of an uncommon phrase, using both upper and lower case, for instance: I Know What You Did Last Summer – IkWyDlS. Then, select four or five special characters that are NOT part of numbers on the keyboard – ]”/< Then select a number that means something to you – 0229. Now, interlace the symbols and numbers into the acronym – I]k0W”y2D/l2S<9. Now that’s a password!
We Should See Other Passwords – Strong passwords are great but don’t get attached. Change your password every six months. Fear of commitment is good only here. You look perplexed, and I know why. If it takes over eight years to crack my password, why change it so often?
Different Passwords Per Application – Data breaches are the primary reason you should NEVER REUSE A PASSWORD. I know this is hard, but every website, service, vendor, home computer, work computer, streaming service, and online bill pay should have a different password. How bad could it be? You know to never ask that question. Go here to see if your email has been exposed to a data breach – www.haveibeenpwned.com. You know, when your antivirus company says it’s “searching the Dark Web” for your info, they’re just going here. It’s called the Dark Web for a reason. Your information is for sale, not lying around free to be perused like cheap t-shirts at K-Mart.
Password Vaults – How do you keep up with all those exotic passwords for over 100 different places you need them? Many tools exist. Do your research. You must only remember one master password, and it better be a doozie. My greatest concern with password vault software, after its encryption level, is offline encrypted access. Imagine no memorized passwords and no access to the vault!
Multi-Factor Authentication (MFA) – Authentication works on three factors: something you know (password), something you have (access token or phone), and something you are (biometrics). MFA requires at least two of the three. If you use your phone as an authentication token that verifies your password and uses your finger to unlock your phone, you have successfully enabled all three. Be sure to enable failover authentication methods, such as phone numbers, in case your phone dies or loses signal.
Password Policies That Work – Administrators should require at least 12 characters across all 95 characters but should also ensure complexity. Passwords should expire after six months, and old passwords should never be allowed again. Accounts should lock after three (3) failed attempts with a timer or admin intervention to unlock. Multiple failed login attempts should automatically be reported to InfoSec Mobile devices and should auto wipe after a set number of failed attempts. Finally, NO ONE should store login names and passwords for sites in web browsers.
Salt and Hash – Admin Bonus! Be sure your back-end authentication servers NEVER transmit passwords in plain text across the network or the Internet. When possible, authentication systems should hash passwords and compare the hashed values, not the actual passwords. Passwords stored on local servers should have salt values added before encryption to prevent dissemination if physically stolen. And if your BitLocker password is B1tl0ck3r, change it NOW!
Is it hard to maintain all these passwords? Absolutely! Start by taking down the yellow stickies from your monitor with all your logins and find a good password vault. Then, change all your passwords as recommended.