Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Information Assurance  >  Top tips for World Password Day 2021
NextPrevious

Top tips for World Password Day 2021

Articles, Information Assurance | 6 May, 2021 | 0

Today is World Password Day – the annual reminder to review your password hygiene and consider how to improve the strength and security of your passwords. Here are our top tips to improve your password security – at home and at work.

Bill Gates predicted the demise of the password back in 2004 saying:

There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.

However, the number of passwords a typical user must manage has increased significantly in the last decade, as has the number of software vulnerabilities and attacks that result in the compromise of passwords.  Here are six practical steps you can take to improve your password security.

 

Contents

  • 1 Use a different password
  • 2 Use a password manager
  • 3 Don’t force regular password changes
  • 4 Use Multi-Factor Authentication
  • 5 Pick better passwords
  • 6 Protect service accounts and API passwords
  • 7 Additional Resources for Password Security

Use a different password

Password re-use is one of the biggest dangers of password-based systems. Even though most users acknowledge that re-using passwords is something to avoid, research suggests that at least 50% of people do it anyway. Because passwords end up leaking or getting compromised one way or another, the value of the stolen password is greatly increased if it also provides access to additional systems.

It’s not just the innocent victims of cybercrime who suffer because of password re-use.  Security blogger Brian Krebs reports how a cyber-criminal hatched a plan to incriminate Krebs by buying drugs on the dark web, posting them to Krebs and then reporting him to the police. However, the criminal used the same password on his private email as he did for the admin account of his dark web hacking forum.  The forum software was hacked by other criminals and the passwords exposed and picked up by law enforcement authorities. The police were able to reuse the password to read the criminals email account – which also include receipts for purchases and details of his home address allowing him to be tracked down and arrested.

Use a password manager

Passwords get re-used because it is hard to remember lots of different passwords.  A typical person has 80-100 passwords in their life – more if you include work related passwords.  A password manager (or password vault) is a software utility that securely stores all your passwords along with the web address or other details of the system it relates to.  The password vault itself is encrypted and the key to unlock it is the one password you need to remember.

Some enterprise password managers include features to track and log when a password is used and provide mechanisms to securely share passwords between vaults without ever revealing the password to the end user.

Like any mission critical software, password managers need to be chosen carefully and managed in order to protect against supply chain attacks like the recent compromise of the update mechanism for the Passwordstate utility.

Don’t force regular password changes

While some regulatory regimes require regular changing of passwords (such as PCI-DSS), the guidance for general users has shifted in recent years to recommend that passwords are only changed if there is a concern that the password has been compromised.

The rationale is that forcing frequent changes causes users to select less secure, easier to remember passwords resulting overall in a reduction in security.   According to the UK National Cyber Security Centre: Regular password changing harms rather than improves security.

Use Multi-Factor Authentication

Passwords can get compromised – through breaches or bypassed using pass-the-hash and pass-the-cookie attacks.  Adding a second authentication factor such as a one-time password or using an authenticator app will help protect your systems even if a password is compromised.  A password is something secret that you know – by providing the password you prove to the system that you are who you claim to be.  If an attacker or criminal is able to get a copy of your password, then they can impersonate you to the system.

Security is improved if, in addition to providing something that only you are supposed to know, you can also prove that you have in your possession something physical that only you are supposed to have.  This is the idea behind multi-factor authentication.  In its simplest form, you use your mobile phone as the possession and prove you have it by entering a code number supplied by SMS message or an app that changes each time you logon.

Using a text message (SMS) to deliver a one-time password is less secure (because SMS is inherently less secure) than using an authenticator app like the ones freely available from Google or Microsoft.  You could also use a security token which is a small battery powered device, the size of a key fob, that displays a security code that changes frequently.

Apart from one-time passwords, the other most popular means of authentication is biometrics – proving you are the actual person you claim to be by validating a fingerprint, palm scan or face scan.

By combining a password (something you know) with a security token (something you have) or biometrics (something you are) security is much improved compared to using passwords alone.

 

Pick better passwords

Through Security Training, help your users pick better passwords and make best use of tools such as password managers to keep long and complex passwords secure for each system.

If users are picking their own passwords (and not using machine generated complex passwords from a password manager) then length is more valuable than complexity. Humans can remember a passphrase of three or four words more easily than a shorter complex password with random numbers and symbols.

Configure a minimum length password length of at least 12 characters, but do not limit the maximum password length.

Protect service accounts and API passwords

Modern network infrastructures – whether on premises, in the cloud or hybrid deployments – rely on a plethora of secrets, certificates, keys and passwords to function.  Hard coding these security credentials into deployment scripts and configuration files may make developers lives easier but it will also make it much easier for attackers to move around your network and extend their reach into additional systems and conduct man in the middle attacks by impersonating your systems.  Infrastructure secrets need protecting in secure locations – such as a password manager or vault.  Some password managers now offer infrastructure integrations allowing secrets to be programmatically obtained as needed – avoiding the need to make them human readable at any time.

 

Additional Resources for Password Security

The National Cyber Security Centre offers useful resources for network managers and users wanting to improve their password security and policies:

  • NCSC Guidance on password policy
  • NCSC Guidance for Multi-factor authentication
  • NCSC Password Managers buyers guide

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security news, ncsc, Security operations

Related Post

  • NCSC offers free email security tool

    By Mark Faithfull

    The National Cyber Security Centre (NCSC) has launched a new email security checker to help organisations protect their email privacy and prevent spoofing. This comes after the publishing of the top 15 most exploited vulnerabilitiesRead more

  • How to improve your supply chain security

    By Mark Faithfull

    The security of every business is dependent on the security of its suppliers.  From the PCs on peoples desks, to the servers in cloud, the firewalls in the office and the experts that connect toRead more

  • NCSC Updates Guidance on Russian cyber threat

    By Mark Faithfull

    The NCSC has issued updated guidance on the evolving threat from Russian state actors and cyber criminals due to the ongoing war in Ukraine. The joint Cybersecurity Advisory (CSA) from the cybersecurity authorities in theRead more

  • Stolen Nvidia certs uses to sign malware

    By Mark Faithfull

    When the LAPSUS$ ransomware group broke into the network of Nvidia, the data they stole included two code signing certificates which are now being used to sign malware to help it bypass security defences. InRead more

  • What does the Russian invasion of Ukraine mean for UK cyber security?

    By Mark Faithfull

    Russia’s deployment of troops into Ukraine is the physical side of a war that has been raging for some time in cyber space. How might your UK business get caught in the crossfire of thisRead more

NextPrevious

Recent Posts

  • HTML Phishing on the rise
  • Microsoft patches critical zero-day
  • NCSC offers free email security tool
  • Top 15 Most Exploited Vulnerabilities for 2021
  • NHS Targeted in Phishing Campaign

Tags

Adobe Android Apple blockchain Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DDoS Dell DNS Exchange Server exim formjacking GDPR Google IoT Linux microsoft Mozilla ncsc npm patching penetration testing phishing ransomware RDP SAP security breach Security operations security testing SIEM software development Spectre supply chain attacks Sysinternals vulnerability management web applications web browsers wireless

Archives

  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam