Today is World Password Day – the annual reminder to review your password hygiene and consider how to improve the strength and security of your passwords. Here are our top tips to improve your password security – at home and at work.
Bill Gates predicted the demise of the password back in 2004 saying:
There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.
However, the number of passwords a typical user must manage has increased significantly in the last decade, as has the number of software vulnerabilities and attacks that result in the compromise of passwords. Here are six practical steps you can take to improve your password security.
Use a different password
Password re-use is one of the biggest dangers of password-based systems. Even though most users acknowledge that re-using passwords is something to avoid, research suggests that at least 50% of people do it anyway. Because passwords end up leaking or getting compromised one way or another, the value of the stolen password is greatly increased if it also provides access to additional systems.
It’s not just the innocent victims of cybercrime who suffer because of password re-use. Security blogger Brian Krebs reports how a cyber-criminal hatched a plan to incriminate Krebs by buying drugs on the dark web, posting them to Krebs and then reporting him to the police. However, the criminal used the same password on his private email as he did for the admin account of his dark web hacking forum. The forum software was hacked by other criminals and the passwords exposed and picked up by law enforcement authorities. The police were able to reuse the password to read the criminals email account – which also include receipts for purchases and details of his home address allowing him to be tracked down and arrested.
Use a password manager
Passwords get re-used because it is hard to remember lots of different passwords. A typical person has 80-100 passwords in their life – more if you include work related passwords. A password manager (or password vault) is a software utility that securely stores all your passwords along with the web address or other details of the system it relates to. The password vault itself is encrypted and the key to unlock it is the one password you need to remember.
Some enterprise password managers include features to track and log when a password is used and provide mechanisms to securely share passwords between vaults without ever revealing the password to the end user.
Like any mission critical software, password managers need to be chosen carefully and managed in order to protect against supply chain attacks like the recent compromise of the update mechanism for the Passwordstate utility.
Don’t force regular password changes
While some regulatory regimes require regular changing of passwords (such as PCI-DSS), the guidance for general users has shifted in recent years to recommend that passwords are only changed if there is a concern that the password has been compromised.
The rationale is that forcing frequent changes causes users to select less secure, easier to remember passwords resulting overall in a reduction in security. According to the UK National Cyber Security Centre: Regular password changing harms rather than improves security.
Use Multi-Factor Authentication
Passwords can get compromised – through breaches or bypassed using pass-the-hash and pass-the-cookie attacks. Adding a second authentication factor such as a one-time password or using an authenticator app will help protect your systems even if a password is compromised. A password is something secret that you know – by providing the password you prove to the system that you are who you claim to be. If an attacker or criminal is able to get a copy of your password, then they can impersonate you to the system.
Security is improved if, in addition to providing something that only you are supposed to know, you can also prove that you have in your possession something physical that only you are supposed to have. This is the idea behind multi-factor authentication. In its simplest form, you use your mobile phone as the possession and prove you have it by entering a code number supplied by SMS message or an app that changes each time you logon.
Using a text message (SMS) to deliver a one-time password is less secure (because SMS is inherently less secure) than using an authenticator app like the ones freely available from Google or Microsoft. You could also use a security token which is a small battery powered device, the size of a key fob, that displays a security code that changes frequently.
Apart from one-time passwords, the other most popular means of authentication is biometrics – proving you are the actual person you claim to be by validating a fingerprint, palm scan or face scan.
By combining a password (something you know) with a security token (something you have) or biometrics (something you are) security is much improved compared to using passwords alone.
Pick better passwords
Through Security Training, help your users pick better passwords and make best use of tools such as password managers to keep long and complex passwords secure for each system.
If users are picking their own passwords (and not using machine generated complex passwords from a password manager) then length is more valuable than complexity. Humans can remember a passphrase of three or four words more easily than a shorter complex password with random numbers and symbols.
Configure a minimum length password length of at least 12 characters, but do not limit the maximum password length.
Protect service accounts and API passwords
Modern network infrastructures – whether on premises, in the cloud or hybrid deployments – rely on a plethora of secrets, certificates, keys and passwords to function. Hard coding these security credentials into deployment scripts and configuration files may make developers lives easier but it will also make it much easier for attackers to move around your network and extend their reach into additional systems and conduct man in the middle attacks by impersonating your systems. Infrastructure secrets need protecting in secure locations – such as a password manager or vault. Some password managers now offer infrastructure integrations allowing secrets to be programmatically obtained as needed – avoiding the need to make them human readable at any time.
Additional Resources for Password Security
The National Cyber Security Centre offers useful resources for network managers and users wanting to improve their password security and policies:
- NCSC Guidance on password policy
- NCSC Guidance for Multi-factor authentication
- NCSC Password Managers buyers guide