“New Password Accepted”
When you create a new password, it may pass all of the usual security checks. Lower- and upper-case letters? Tick. Numbers? Tick. Symbols? Tick.
But how secure is a password that passes those checks really? “PassWord123!” passes the check, but Password Monster says it’s crackable in about 0.4 seconds. Clearly, there is much more to creating a secure password than just jumbling cases, numbers, and symbols.
But before we get into the finer details of creating great passwords – and by extension, great password policies – we need to understand the ways that passwords get breached in the first place.
How Do Hackers Get Hold of Passwords?
There are a number of tools that cybercriminals have in their arsenal to uncover passwords and make their way into sensitive IT systems:
- Social Engineering & Phishing – This is where criminals send messages; usually claiming to be a well-known, relevant brand or an individual known to the victim; that aim to hoodwink users out of sensitive information, which can include login credentials.
- Brute Force & Spraying Attacks – Criminals can use tools to “spray” login pages with continual password attempts, whether these are known common passwords, already breached passwords, or just random strings of characters to try and gain access.
- Dictionary Attacks – Hackers can spray password fields with known dictionary words using automated tools. With a bit of recon on the part of the criminals, this dictionary list can also include likely phrases for those within the organisation to use, such as nearby road names or sports teams.
- Keyloggers – Understandably, any way of snooping on keystrokes can reveal whole username and password combinations. Keyloggers can be software or hardware based, so be vigilant!
- Leaked Usernames and/or Passwords – If a username and password for one login becomes breached, it’s likely that a hacker will try those same credentials across different logins, banking on the possibility that the password has been reused elsewhere to maximise their attack.
- Shoulder Surfing – If a criminal is able to make their way into your premises or access security cameras that are close enough to team members, they may be able to intercept passwords by snooping over someone’s shoulder as they type it in – or simply observe a password on a sticky note!
- In Transit Snooping – If a password travels anywhere online in plain text (or in a poorly encrypted state), a hacker may be able to pick that password up as it travels around the network or the internet.
How to Create Strong Passwords & Stronger Password Policies
With this information in mind, let’s explore some common-sense ways to create strong passwords – and therefore create truly robust password policies.
Creating New Passwords
Block Common Words & Simple Phrases
Using “password” as your password has got to be so passe that it’s a joke now, right? Wrong. The terms “password” and “123456” have consistently topped the global charts for commonly used passwords. Yikes. With that in mind, create a password policy that disallows common passwords like these.
However, if a criminal has your organisation in their sights, they may be willing to do some reconnaissance and a lot of guesswork to get meaningful passwords out of people. In that case, it makes sense to create a password policy that blocks names relevant to your organisation. Block names like nearby street names; the names of local sports teams and venues; the names of buildings or units within your organisation; common/known partners’, kids’, and pets’ names; and so on.
Consider also that a cheeky look on social media can also reveal additional terms that people commonly use in their passwords, like their mother’s maiden name, the first school they attended, previous pets’ names, etc.
Also, naturally, block your team from using any known breached passwords – whether they were breached from you or not – and any similar terms or motifs to them. And, most crucially, keep these lists updated!
Related Reading: What is Cyber Recon? How Criminals Try to Outsmart the Good Guys
Allow Long & Complex Passwords
If any of your logins currently disallow passwords over 20 characters or they block you from using symbols or numbers, then allow this functionality immediately. When it comes to passwords, the longer and randomer, the better; it makes them less guessable and more brute-force-proof.
In order to add a bit of randomness to passwords, some folks rely on similar character swaps, like S for 5 or 4 for A. This is fine, but don’t rely on it totally to change or randomise a password – hackers are well aware of tricks like these too!
Consider Using Passphrases
In a similar vein, rather than simply relying on passwords, consider creating whole passphrases: short, somewhat nonsensical phrases which can be misspelt or peppered with other characters to throw those dictionary attacks off the scent.
The NCSC have advised that passwords be formed by putting together three random words; a particularly simple (and therefore insecure) example of this might be “FishPenApple”.
However, we wholeheartedly disagree with the NCSC’s advice here. Yes, three random words on their own are better than nothing, but not by much. As dictionary attacks get more sophisticated; reconnaissance methods get more tenacious; and (crucially) as the “three random words” tactic becomes more normalised amongst regular users and criminals alike, it will start to provide diminishing returns. Hence why we recommend longer passphrases with added characters to mix things up.
If random, complex phrases aren’t your thing, password manager tools can create, manage, and insert completely randomised passwords.
Change Compromised Passwords
Obviously, any compromised password should be immediately changed. If that same password has been reused anywhere, then that password will need to be changed too. Additionally, that password should also be barred from ever being reused by anyone on your team.
However, in our opinion, you may need to rethink what counts as “compromised”. If it’s on a sticky note, consider it compromised. If it’s in a .txt file on a desktop (or worse, on the server), consider it compromised. If it has been given to someone, maybe in an email – even if it’s internal – consider it compromised.
Wherever it is discovered that a password is compromised (even under our strict definition), immediately force a password reset and feed back to the user about what they can do differently to maintain password security.
Don’t Reuse Passwords – Even Partially
When suddenly prompted to change a password, it’s no surprise that people often take the path of least resistance and simply slap a “1” at the end of their existing password or add a cheeky “abc” to get the computer to stop nagging them.
However, good password policies should mandate that users provide a completely different password each time with no duplication or reusing of historic passwords.
Enforce Regular Password Changes
In a diversion from years of established IT management common sense, NCSC and NIST guidance advises against scheduled password changes. However, we’re going to stick it to the man again and advise that you change passwords every 3-6 months – more frequently for those working in sensitive fields like IT or upper management.
We get why the governmental IT bods say that “unnecessary” password changes are bad news – because people lazily tend to choose similar passwords to the ones they had before when forced to change them. Yet, in combination with good training around not re-using password themes, we’d argue that regularly changing your passwords provides all the more variety that keeps criminals on their toes.
If you are 1,000,000% sure that all of your passwords are totally secure, then you probably wouldn’t have a lot to gain from changing them every so often. But while you may still have some insecure passwords floating about, then we say to stick with refreshing passwords regularly.
Passwords, Policies, and People
Educate Your Teams!
People aren’t always good at simply doing what they are told. They need to know the reasons why they’re being asked to do something. So provide regular cyber security training around creating solid passwords, keeping on the right side of your password policies, and to communicate that solid WHY behind your policies.
In fact, it pays to incorporate basic cybersecurity training and testing into your onboarding before any kind of access to your systems is granted.
Related Reading: 11 Tips for Leading Cyber Secure Cultural Change in the Workplace
Enforce Stricter Policies for Riskier Users
If you’re administering a large network, it’s likely that you will have to manage accounts for different teams and levels of seniority. Entry level positions will likely not need much access to critical systems, but IT teams and upper management will likely have wide-reaching, complete access to more things and to sensitive information.
With this in mind, you may want to scale the “strictness” of your password policies up or down depending on the risk level presented by different groups within your organisation.
Consider the sensitivity of the data each group has access to, and apply password policies to suit. To give an example, highly sensitive individuals may need to renew their passwords more frequently and may be barred from using dictionary words at all; whereas more entry level team members should still use secure passwords of course, but may renew their passwords less frequently and require less complex passwords.
Further Protect Accounts with Multi-Factor Authentication
Gone are the days where we have to rely on passwords alone to protect what lies behind the login page. Multi-Factor Authentication (MFA) provides an extra layer of defence to any login by adding another authentication step into the login process. It’s a way of discerning that the person who is logging in really is who they say they are.
Therefore, even if a password becomes breached, it is very difficult for an unwelcome party to log in without access to that additional authenticating factor.
Related Reading: What is Multi-Factor Authentication? And Why We ALL Need It!
Consider Phasing Out Passwords
Yes, really! MFA is great, but what if you didn’t use passwords to authenticate your users at all? Biometrics and passwordless authentication are likely the future! There are no passwords to remember, lose, or phish for; bad password habits are a thing of the past; and people don’t lose a fingerprint with the same ease as they do a sticky note!
Of course, you need to take care as to where that information is going and how – especially when it comes to biometrics. But given the right tools, passwordless authentication factors are far more secure than passwords.
Related Reading: Passwordless Authentication: The Ultra-Secure Future of Logging In?
Protecting Your Most Important Password Repository: Active Directory
If your network uses Active Directory, you know how crucial it is to running your network. Other than managing all of your networked “objects” it is the central repository for managing network users and their passwords. If a hacker were to gain access to the right person’s Active Directory login, they could hypothetically remove users, increase account privilege, change passwords, plunder your data, and create all kinds of mess.
Active Directory does come with some powerful password policy tools out of the box, but much more can be done to ensure your passwords are as secure as can be. This is where our Password Policy Manager comes in…
Password Policy Manager for Active Directory
Our Password Policy Management solution augments Active Directory’s existing password policy tools to uncover weak or breached passwords currently in use across your network; automatically reject lazy password changes; and provides users with feedback to help them select more secure passwords.
It can automatically reject over 3 billion known compromised passwords, and even helps you enforce a set level of password complexity by rewarding good password habits.