When is the last time your organisation updated its password policy or sent out guidance to employees around creating safe and secure passwords? It’s been a year since we last updated our guidance on creating safe and secure passwords, so we thought it’s about time for our 2020 edition of “how to keep your accounts secure”. Specifcally, we’ll be looking at current best practice for creating passwords & passphrases and how to leverage multi-factor authentication.
The good news is that little has changed since our 2019 guide, as official guidance from NIST has changed little in the past year. However, if you haven’t updated your guidance within the last few years, chances are it’s woefully out of date. NIST, the National Institude of Standards and Technology, is considered to be the gold standard in password guidance worldwide for many years now, but when they released updated guidance last year, many were quick to note that the advice had drastically changed from previous years.
Why did the advice change? It’s not that the original advice was bad, per se, it’s just that we have to take human nature into account when drafting guidance to provide the most pragmatic approach possible. Human error has been proven time and time again to be the leading factor in data breaches, and questionable passwords have certainly been a contributing factor to this.
So, without further ado, see our 2020 guidelines for creating safe passwords and keeping your account secure!
Passwords are out, passphrases are in
Arguably the main weakness of passwords is that they are hard to remember, especially when they are complex. Previous guidance suggested that each website or service that you use should have a unique, complex password. That means a mixture of upper and lowercase letters, numbers and symbols. Now, that sounds great in theory, but in practice, most people just weren’t able to remember complex passwords for each site. Instead, many people created just one secure password and used it for everything…. or at best, created small variations on their main secure password, in the hopes that that would be secure enough.
Unfortunately, that has proven to not be the case. Cyber criminals use a technique called ‘credential stuffing‘ whenever they obtain someone’s password, whereby they will enter that password along with the user’s email into as many websites as they can to see if they can gain access. They don’t do it manually, however, usually preferring to let automated programs do this, which can also try as many similar variations as possible until they can get a hit. In other words, cyber criminals are wise to our tendancies to re-use similar passwords.
Due to this, people are advised to use passphrases instead of passwords. A passphrase is simply a group of words strung together, without the same complexity requirements, to create a password that is both easily memorable and secure for people to use. Some examples of passphrases include:
Ibetternotforgetmyloginagain
my dog is the best dog in the world
mondaysaremyleastfavouritedayoftheweek
whenitcomestopasswords,sizematters
It is recommended that passphrases be at least 20 characters long if the website allows it. Use of uppercase letters, symbols or numbers is completely optional. The most important goal of using passphrases is to create passwords that you can easily remember, so that you can use a unique one for every website or service that you use. Spaces and punctuation can be used as well!
For administrators: loosen up password complexity requirements
This one is for all the sysadmins out there who are responsible for password complexity requirements.
It’s been shown that the more complexity you require a password to have, the more likely that users will be unable to remember them, and will end up reusing their ‘good’ password. Nothing should be ruled out, so users should be free to use symbols, numbers and spaces where possible, but forcing them to use them has been shown as ineffective by time.
There are two main requirements that you should set instead. The first one is length: passwords should ideally be at least 20 characters long. The maximum length should be as long as is practical, in order to allow users maximum flexibilty in creating unique, secure and memorable passphrases.
The second one requires some technical measures to implement, but best practice dictates that users should not be allowed to use passwords that were previously breached and circulated online. Cyber criminals are extremely likely to sell hacked credentials online to other criminals, and frequently compile breached data (including passwords obtained/verified through credential stuffing) into “combo lists”. Hackers can inexpensively purchase these lists on the dark web and use automated programs to feed in these passwords to various websites in an attempt to gain unauthorised access to user accounts. Every year we see people with commonly used passwords falling victim to hacks and breaches, and allowing staff to use previously-breached passwords is a disaster just waiting to happen. There are tools online that you can use with your domain controller to disallow staff from using any password that was previously exposed online in a breach.
Bonus point: don’t force users to change their passwords without reason. If a user has created secure, memorable passphrases for their accounts, there is little reason to force them to change it every year unless they have been breached or forgotten. Besides, studies have shown that users typically use a variation of their previous password when they are forced to change them, so often you’re only gaining the illusion of extra security by setting password expiries.
Some password advice remains relevant today
Cyber security on the whole can be a fast-moving industry which has to frequently change and adapt to new threats. The updated guidelines from NIST are intended to do just that: respond to new threats and the best information available at the time.
Some advice, however, is predicted to remain relevant for as long as the use of passwords is prevalent in this world of ours.
For example, one of the worst things you can do when creating a password is to use any part of your email or login, as criminals check this immediately. If your email is [email protected], then you absolutely don’t want a password like Mary2020, as this will be cracked by cyber criminals in the blink of an eye. Really, any personal information that can be guessed by another person shouldn’t be used, such as pet names, parts of your address, etc. Anything that is public knowledge (ie. on social media) should absolutely not be used in your passwords.
In addition to avoiding passwords which have been previously exposed online in breaches, you also want to make sure you’re not using any common passwords. Some of the most common passwords used by people (yes, even in 2020) include “123456”, “password”, “qwerty”, “abc123” and many other similar easy-to-type-out-but-easy-to-guess passwords. These are easily googled and among the first passwords that hackers will guess, so please don’t use them.
Use password managers are multi-factor authentcation
Even with all of the above in mind, we understand that it can still be difficult to remember unique passwords for every single website that you use. Does this mean that you’re forgiven for re-using passwords? Unfortunately not, as cyber criminals will only use this to their advantage. This is where password managers come in! These tools (such as LastPass and Dashlane) can safely store your passwords and will alert you to password reuse. At work, speak to your IT team about the use of password managers in your organisation, and if they have a recommended one that is allowed.
Lastly, when all else fails, multi-factor authentication has your back. Multi-factor authentication (also known as two-factor authentication, MFA or 2FA) means that multiple factors must be used before you can log into your account. For example, the most common form of MFA is a code that you must enter after you successfully enter your email and password, which is either texted to you or generated by an app. It takes two seconds to enter the additional code, but it means that a hacker cannot access your account using your password alone. Even if they obtain your details, unless they physically have your phone, it’s extremely difficult to gain access to your account. This can give you real piece of mind, and we are seeing a huge trend towards MFA taking place, especially for services such as email and banking.
Is that all I need to worry about?
Unfortunately, no. As cyber security becomes more advanced and complex systems are put in place to protect organisations from hackers, more and more cyber criminals are making use of social engineering to bypass these measures altogether.
Social engineering is the act of manipulating people into taking an action that will harm them and/or their organisation. Criminals will try to trick people into thinking that they are from their IT department so that they will provide their login information and even give them their MFA code!
There are numerous ways in which cyber criminals use social engineering techniques to compromise organisations which are beyond the scope of this article, but the best means to combat them is through education and training.
Many organisations are now implementing mandatory cyber security awareness training for all their staff to ensure that they are aware of the common tricks that cyber criminals will use against them, and the results speak for themselves. As we stated earlier, human error is the main cause of data breaches, and this is unlikely to change in the forseeable future.
Tech Guard offers a comprehensive security awareness training service which uses a data-driven approach to identify risk, assess areas where user knowledge is low, and combine regular training modules with simulated phishing attacks to increase user awareness and reduce risk.
Contact us today for a free demo of our training platform to find out how we can help you today.