Password Policy : Protections and Precautions

No Formal Training in Passwords

‍

We have all been there - at a point when we were first introduced to technology and the concept of passwords. At the time, there was no training on what makes a good password and no indication that anyone could easily guess a password. If you said to a friend or family member "...I'm thinking of a word..." the likelihood that they might guess it was incredibly low.

‍

Brute force attacks to servers containing sensitive data are at an all-time high, and the human guess work is no more. Data is extremely valuable and, in the wrong hands, can fetch a high price under ransom and blackmail by malicious individuals. Computing power has grown exponentially and the ability of programs and algorithms to 'guess' common passwords requires virtually no effort.

‍

So how can you and your teams protect themselves? What are the best password formats to use? Let's begin with addressing some of the most common poor practices in passwords:

‍

Password123, sound familiar?

‍

Passwords are easy to remember

While it's often tempting to pick a password which is easy to remember - avoid this at all costs. If any metadata is scraped from any services you are using, then personally identifiable attributes such as your name, age and address are at risk of exposed. Using your own, child's or pet's name is a big security risk that should also be avoided. A quick Google or Facebook search might reveal all of your family members and their personal information.

‍

Passwords are reused

Another temptation - you might think that you have a secure password and decide that you can use it across multiple platforms. How can you be sure that these services are all secure? If just one of those services has a data breach, it's possible that someone could access your email address and password and use it to try getting into several platforms using these same credentials.

‍

Passwords are shared insecurely

If you have a single username or email address for a single license and are sharing a password, avoid putting these in places which are not secure. Whether this is plainly written down (this still happens more frequently than you would believe) or shared between social media apps, unencrypted email or SMS- avoid. If someone asks you for your password, it's absolutely fine to say no.

‍

Passwords are written down or stored improperly

Sticky notes around a computer terminal are extremely common and extremely risky. Obviously, none of this is encrypted or hidden and acts essentially as a 'go-to' guide to get access to an otherwise potentially secure system. It's also common for people to copy and paste digital records of passwords to multiple programs. You might store your password in a document, spreadsheet or a third-party app on your phone. How do you know that app developers aren't accessing your data from the app? Especially if it was installed outside of a designated app store. If the data you enter into that app includes an email address and password this also becomes highly risky.

‍

People avoid using two-factor authentication

Two-factor authentication has become a gold standard in protecting access to accounts online. In addition to passwords, receiving a one-time code which expires within a minute dramatically increases account security. This might be in the form of an SMS to a validated or confirmed device or account (phone number or email address, for example) or an authenticator app that you have on your smartphone.

‍

Browsers that save passwords for you

Browsers cache a lot of data. This is usually to improve your browsing experience by reducing loading times. Some browsers offer to save your password, however, without knowing fully what they do with that data, where it is housed and if it is encrypted, you can't be sure that your passwords are not in the wrong hands. Also any potentially suspicious add-ons or plug-ins that you have installed on your browser might be able to see or access the data.

‍

What can I do?

You might be feeling a little overwhelmed and concerned for your online safety. After all, under brute force attacks, many non-secure passwords containing a short string of letters and numbers (including readable words and predictable names) can take mere seconds to break. Here are some examples of the time it takes for passwords to be grabbed during such attacks:

‍

• 7-character-long lowercase letter password: Instant
• 10-character-long number password: Instant
• 5-character-long lowercase, uppercase, number and special character password mix: Instant

‍

Here are some of the top tips on password security:

• Use a password manager: E.g. Bitwarden
• Never re-use passwords
• Use long passwords
• Have a master password which is highly secure including letters (upper and lower case), numbers and special characters
• Never share passwords
• Never text passwords

‍

Finally...C0mm0n M1sc0nc3ption5...

‍

Today, some of the minimal password policies will say that you need a password which is 8 characters long with a combination of letters (upper- and lowercase), numbers and special characters. However, by today's technological standards, 8 characters is not enough and pretty breakable if the intent and expertise was there. Users will also assume that when a website suggests that your password is "strong" - by meeting its minimal requirements - it is very secure. If it suggests 8 characters, this likely isn't in practice enough - why not use 20 or more characters? Many users also believe that if you have a very strong password it can be re-used. What happens if one of these services is breached? By re-using a password (secure or not) you are increasing the number of entry points to that password across multiple systems. This last misconception is quite surprising for most people: Replacing some characters with numbers, e.g. "E" with "3", and "5" with "$" is also not secure. This technique is well known with hackers and included in hacking strategies.

‍

Online safety in the 21st century is essential and if you are responsible for highly sensitive data you will have moral and sometimes legal responsibility to adhere to best practices.