Managing Passwords: Do’s and Don’ts
Managing passwords and knowing the do’s and don’ts are critical in both our personal and work lives. Having so many passwords to manage and remember leads a lot of users to unintentionally form bad habits. So how do you make sure that your users’ bad password habits are not the weak link in your company’s security? There are solutions that can implemented at a corporate level, such as Single Sign-On, to reduce the number of passwords that users have to remember, but that is blog for another day. The reality is that a passwordless environment is not achievable in the short term for most companies, so IT and security professionals are left with the task of making the passwords in their environment as secure as possible. There are several easy-to-follow password guidelines that every company should implement.
The first thing that should be done to secure passwords is to stop using them. Train users to use passphrases instead of passwords. Cyber criminals have access to tools that are able to crack the old standard 8-10 character passwords with full complexity. These complex passwords also tend to be hard to remember if you have 20 of them, which leads users to form bad habits like writing them down or reusing the same password everywhere. Pass phrases help users form much longer passwords that are easier to remember and much harder to crack. NIST actually changed their recommendation from complex passwords to passphrases back in 2017, and wrote a great, easy to understand article about it, which you can find here. In this article, they show how an 11-character password with full complexity can be broken in 3 days, and how an easy to remember 28-character passphrase with no complexity would take 550 years to break. Once you start adding complexity to the passphrase the ability to guess it drops and the amount of time to crack it increases exponentially. The key is to use 4 or 5 random words that you can form an association between in your head, but wouldn’t make sense to anyone else. For example: “mirror TV fireplace vase”. That is completely random to everyone else, but that is what I see when I sit on my couch and is an image I can easily remember. If you want to add a little more complexity, include the quotation marks.
Use Password Managers
Though passphrases have been around for many years, and the recommendation to use them over complex passwords has been in place since at least 2017, many sites and applications are still not able to use them. Their password fields are locked down to the old 8-20 character limitations and require complexity. When a passphrase can’t be used, the complex password should be as long and complex as possible. This means that it will be something that users cannot remember. This brings in the need for a password manager. Companies should look to use a corporate controlled password manager to ensure that policies are followed and passwords are retained by the company when a user leaves. Many corporate and enterprise password manages provide an option for using their SaaS based model or deploying on an internal server to ensure that compliance requirements are met. These password managers also provide the ability to set policies on things like password access, length, and complexity for the included password generator (which should always be used when creating new passwords). These solutions also provide the ability for audit logging to track who accessed what password and when should the need arise to provide that information.
Use Multi-Factor Authentication
Multi-Factor Authentication (MFA) is critical for all corporate systems that contain sensitive information. It should be enabled and enforced wherever and whenever possible. Microsoft has stated multiple times and in multiple ways that MFA can block 99.9% of account compromise attacks1. How many times have we heard about data breaches in the last year, or the last month for that matter? They happen far more frequently than we are aware, and if your credentials were stolen in that breach, it doesn’t matter how complex your password was or how long your passphrase was because the attacker has a copy of it. However, if you have MFA enabled on your account, your password doesn’t matter. They also have to be able to pass your additional authentication methods which could include a code that you receive via text, a one-time password that you enter from application on your phone, or a push notification received on your mobile device as common methods. MFA for corporate applications can be extended to include facial recognition from your laptop camera, a certificate pushed from a corporate server that is stored on the PC, to the presence of your TPM chip on the motherboard combined with the fact that the device is joined to the corporate domain. There are many ways to make MFA seamless and painless for end users which removes the complexity argument regardless of the corporate user base. MFA should be viewed as an essential requirement for all corporate systems.
Though not every data breach makes the news, they do all need to be reported. If a company email address was compromised in a data breach anywhere, it could indicate a compromised account. Action should be taken as quickly as possible to ensure that user has MFA enabled everywhere possible and passwords are changed. There are some easy to use and free services available to help monitor for company email addresses listed in reported data breaches. For example, a company can submit their entire domain for monitoring (once they prove domain ownership) to haveibeenpwned.com for free, and then anytime an email address at that domain is found they will receive a notification email.
Abide the Classic Rules
There are a couple password rules that have been around forever, and they have lasted this long for good reason.
- Do not write your password down: This is obvious. If your password is taped to your monitor anyone can read it and login as you. Password managers should be used as they allow you to easily pull up a password that you can’t remember, but they store it in an encrypted and protected manner to prevent anyone else from accessing it.
- Do not share your password: There is never a need for anyone else to know your password and that includes IT support, your co-worker, or even your spouse (especially if we are talking about a work password).
- Do not use common passwords: These are highly susceptible to brute force attacks.
- No dictionary words
- No common passwords (there are lists on the internet for reference)
Do not use personal information as part of your password\passphrase
Using personal information like your spouse’s name, kids’ names, pets’ names, birthdates, addresses, and so on makes your credentials much more easily guessed by anyone that can find you on social media.
Do not reuse passwords
If you use the same password for multiple accounts then any compromised credential not only gets them into the account where they were able to steal the password, but everywhere else that you used it as well. Most importantly do not mix work email addresses and passwords with personal accounts. For example, let’s say that your favorite sandwich shop by your office finally has online ordering and you create an account on their website using your work email and the same password you use for everything including your network login, Office 365, and your HR\payroll application (BTW – you’re the HR director). There is a good chance that the security at the sandwich shop is not as robust as your corporate security and their user database gets compromised. Now your credentials are being sold to the highest bidder and the first thing they do is try those fresh credentials against Office 365 and they work. Now they are reading your email and they find out what SaaS solution you use for HR and payroll system and try your credentials there. Since you are the HR director, they have access to all of the employee data at your company. All of that data is now leaked and your company is in the news because you wanted to be able to order your “turkey on wheat” without remembering another password.
1Microsoft article on the effectiveness of MFA: https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/