As our lives increasingly move online, passwords are a more critical and ever-present part of what we do day-to-day. Yet, tech experts say, most users are really bad at creating effective passwords. The evidence of poor password management is plain to see as major data breaches occur more and more frequently.
According to a study conducted by Verizon, 63% of data breaches involved leveraging default, weak or stolen passwords. When it comes to complex networks and online environments, just one cracked password has a quickly cascading effect. The 2012 data breach at LinkedIn was caused by a Russian hacker who used one weak password to expose 6.5 million encrypted passwords. Several years later 117 million email addresses and their password combinations tied to LinkedIn users were for sale on the black market.
Download our free white paper on best practices for deploying solutions with limited disruptions.
The impact of a data breach depends largely on how much time passes between the breach and the discovery of the breach. In the same report, Verizon said 93% of data breaches happen within minutes but 85% of them are not discovered for weeks. That’s long enough for hackers to install malware to extract sensitive information, launch phishing attacks from within your network, and steal credentials that allow them to further penetrate your supposedly secure network.
However, despite an overall lack of effective password management, no one has yet come up with a better way to protect online information. For better or worse, it looks like passwords are here to stay. Here are some good rules to follow for secure, effective password management.
Of course, the best first step to effective password management is creating the strongest password you can. And it’s probably easier than you think. First, some don'ts. Don’t choose passwords with personal details that would be easy for someone to find out, such as your birthday, address or social security number.
Don’t use words that can be found in the dictionary. Readily available password cracking software includes dictionary lists with thousands of password variations using common names and words. And don’t use the same password for multiple sites; in particular, your email password and online banking password should always be different from any other passwords you use.
So what things should you do to create stronger passwords? The very best passwords are both easy to remember and hard to guess. Many IT security experts recommend thinking of a phrase that’s meaningful to you, such as “I hope the Seattle Seahawks win the Superbowl in 2018!” and then distilling it into a password using the initials of each word and the numbers and characters.
In our example, the password would be IhtSSwtSi2018!. The password appears to be a meaningless jumble of letters, numbers, and characters, making it difficult to crack, but since it’s derived from a meaningful personal phrase it’s easy for you to remember.
Length is also a better predictor of password strength than complexity. The best passwords are usually between 12 and 15 characters. And passwords with the special characters and numbers spread throughout the middle of your password are safer than passwords with the special characters concentrated at the beginning or the end.
Lorrie Faith Cranor, Chief Technologist at the Federal Trade Commission, told Wired: “Most people put capital letters at the beginning and digits and symbols at the end. If you do that, you get very little benefit from adding these special characters.”
Many of the most critical rules for password management don’t have anything to do with creating a secure password at all, but rather relate to how you store and protect your password once you have it. Here are some precautions you should take with every password you use.
As hackers get more sophisticated, so does effective password management. IT professionals are constantly reviewing lessons learned and updating guidelines for creating strong passwords and protecting them more effectively.
In April of this year the National Institute of Standards and Technology (NIST), released updated guidance for creating and managing passwords. Though NIST information security standards are only binding for federal government agencies, private-sector companies often look to NIST as well to provide up-to-date best practices for information security.
The biggest change to NIST’s Digital Identity Guidelines is that organizations should no longer require periodic password changes. Once the gold standard of effective password management, it has since been shown that mandatory periodic password changes do more harm than good. Users often choose passwords that are easy to remember, which also make them easier to hack. Or they simply change one character from the previous password, a trick hackers are very familiar with.
The updated NIST guidelines also move away from the recommendation that organizations should require a certain type or number of characters. Instead of a complicated jumble of numbers and special characters, or just an exclamation mark added to a password you use somewhere else, NIST says long passwords, a phrase that’s meaningful to you, for example, is easier to remember and harder to hack. Organizations should also move away from character maximums and minimums, especially since the longer a password is, the stronger it is.
Finally, NIST recommends that organizations submit each password created to a strict validation process. Passwords such as “12345” or “password1,” or passwords that appear on a “black list” of commonly used or previously used passwords, should be automatically rejected by the system administrator.
Effective password management can and should be part of your organization’s larger cyber security strategy. AVI Systems’ white paper on deploying IT solutions with limited disruptions can help you get started on the right foot.