Passwords have been present in information technology since the earliest days. However in the past few years’ hackers have developed password cracking tools which are powerful enough to crack common passwords in minutes. Today, eight-character passwords can be cracked by consumer password recovery software in under an hour, and more experienced hackers armed with rainbow tables and other free tools can crack 14-character passwords – including alpha-numeric passwords with special characters – in less than three minutes. This makes it imperative for technology users to adopt longer, stronger passwords.
So what can be done in your organisation to encourage staff not to use weak passwords?
The answer is to encourage the use of stronger passphrases and mandate that users update their passphrases on a regular basis. These updates can provide some measure of protection should a passphrase ever be compromised. It's also advisable to configure rules to prevent users from cycling through old, previously used passphrases.
Many organizations set passphrases to expire within 30 days or less, and require a minimum length, minimum age, and the use of special characters. These practices should be followed even in organizations where two-factor authentication is in place.
In addition to this, it is also advisable that IT teams teach their staff to not include easily-guessed information in their passwords, such as birthdays, family and pet names, or words for items hat appear within view of the user’s computer system. Also, warn staff not to use easily guessed words or common words such as `password' and simply replace characters such as “a” with an “@" or “o” with a zero. Hackers know this strategy and their software knows it too.
So what guidance can you give end users?
Don't use the same passphrase for multiple logins - and in particular don't mix personal passphrases with business ones. Keep everything separate so that even if one account is compromised, the rest are secure.
Never give anyone - including IT staff - your password. If an administrator truly needs your passphrase, change it before disclosing it, and then change it back when they no longer need access and ensure you are present when they are using your account.
Don't click links in emails from unknown senders, no matter how attractive or urgent they seem. And if your browser starts displaying pop-ups with unusual frequency or appearance – no matter where you are browsing - close your browser and scan your system for malware and adware.
And then there are the not-so-obvious points...
Even when logging onto websites, use passphrases that are 15 characters long whenever allowed. This can help safeguard your account on sites whose administrators may not be protecting stored passphrases by disabling vulnerable hashing algorithms.
If you do online banking, be sure to logout after each session. This invalidates the login session stored on your system. Then close all browser windows before leaving your machine. If you are using a tabbed browser, simply closing the single tab is NOT enough. You must close all browser tabs and windows to clear the cached data from further use.
Don't allow browsers to store your passphrases for you, as not all browsers store your logins in a secure fashion.
Lastly, users should never configure a computer to automatically log them on. If your system is configured for auto-logon, Windows may actually store your passphrase in clear text within the registry of the system in one or more well-known locations. This mistake can give even the most amateurish of hackers both access to your system and knowledge of your passphrase – a potentially dangerous combination.
Tips for the Enterprise
It’s also essential to consider the security of “privileged passwords”, which are the passwords that grant access to powerful administrator or root accounts. These passwords are particularly important to secure because if they fall into the wrong hands, the privileged accounts can be exploited to access and steal confidential data, add or remove programs, or alter system configuration settings.
Privileged passwords should be updated on a frequent schedule with complex and unique credentials for each account. They should also be safely stored and made available only to authorized IT staff, and all operations performed while using these privileged credentials should be audited. All of this is almost impossible to do by hand at scale, so all but the smallest organizations should consider investing in an automated privilege management solution.
Conclusions
Effective passphrase security is often said to be a “state of mind,” and we’ve heard words such as ‘holistic’ used to describe the process.
In truth, all that is needed to create a more secure environment is the right set of building blocks – security policies – that are enforced by automated systems, audited and reviewed to account for current and future security threats.
To achieve real security it is also essential to collaborate with end users with no less zeal than hackers collaborate amongst themselves to develop the tools to put your organization at risk.
Remember to automate as many processes as you can to secure and audit your organisation’s passphrases. This decreases the likelihood of any weaknesses being overlooked, and increases the odds of your being alerted to any unusual activity.
Hackers think creatively when it comes to compromising your network, so developing a comprehensive strategy - using tested ”building blocks” – is the right way to help defend your digital assets.