Are your employees doing a good job choosing and protecting their passwords?
Password strength is very important. According to Verizon’s 2018 Data Breach Investigation Report, 81% of hacking-related data breaches involved either a stolen or a weak password. According to a separate analysis of 10 million stolen password by WordPress, the crack time for the average password – including professionals at Google, DropBox, and other tech companies – was just 22 seconds.
If so many people are getting it wrong, what makes a good password? For many years we’ve been told that it’s a password that contains a mix of upper- and lower-case letters, along with special characters or numbers sprinkled in. This idea originates from a paper written by Bill Burr who, in the early part of the 2000s, was a researcher at the National Institute for Standards and Technology (NIST).
The problem with this method? People tend to choose predictable patterns for adding those elements to a password, so often in fact that they have a negligible benefit to real-world password security. Among the 10 million leaked passwords we just mentioned, 8.4% of them added a “1” to the end of the password to satisfy the numerical character requirement. In a story published in the Wall St. Journal last year, Mr. Burr expressed his regret at writing the paper.
Since then, the NIST has released new recommendations for password strength, which you can read here in Special Publication 800-63B on Digital Identity Guidelines. Many of the suggestions contradict the earlier guidelines and the orthodoxy that took hold around them. Here’s what the NIST is recommending now:
This convention, which created trouble for employees and the IT staff, turns out to be false. This study, originating right here in North Carolina, shows that when forced to change passwords, people tend to just go from “tarHEEL1” to “tarHEEL2” or other minor variations. Those do nothing to increase security and, in fact, can harm it. Hackers have programs that exploit this predictability and can swiftly gain entry into those poorly protected systems. Similar research, conducted at Carleton University in Canada, yielded the same conclusion.
The second major takeaway from Special Publication 800-63B is to stop relying on upper case letters and numbers. While there’s still value to using special characters in passwords (like “#” or “%” symbols), this study by Matt Dell’Amico at Symantec Research found that because people tend to use uppercase letters at the beginning of their passwords and numbers at the end, their effectiveness in making your password uncrackable is severely diminished.
Are there any other conventions that are worth keeping in mind as to password security? Yes, there are.
There is ample evidence to show that the longer a password is, not just the more complex it is, the lesser the chance that a hacker will be able to crack it. The UK government released this article in 2015 advocating for 3 random English words as the basis for a strong password, a number which several sources – including this viral cartoon — have since revised upward to four random English words. Some sources even advocate six random words. The major takeaway is to make the password as long as you can feasibly remember.
But the random words are just the beginning, or they should be. While random words are an excellent foundation for a strong password, as this blog article from security consultant Paul Moore points out, they still need to be combined with strategically used special characters and numbers in order to maximize security.
Now that we know what a solid password consists of, it’s time to go build one. Get creative, and think about random words, with no apparent connection to each other, and then apply numbers or special characters in the middle of the password, avoiding all well-known conventions like replacing an “A” with a “4” or an “E” with a “3.” Password cracking software is trained to go straight for such weaknesses.
To discern whether your password ideas are strong enough, it may help you to use some of the available tools to do so, as they can give us a glimpse into how computers “think,” and help you design the most effective password possible. Try password strength checkers, like HowSecureIsMyPassword, to test your password ideas. Here’s an interesting “password meter,” developed by a joint collaboration between Carnegie Mellon and the University of Chicago that will score the strength of your password and give you a critique to help you improve its resiliency.
Are you responsible for managing passwords throughout your organization? Here are some final password tips for both users and system administrators that can help make sure bad passwords don’t cause your business trouble:
Do you need help implementing strong identity and access management controls, or securing other aspects of your company’s network or technology? The Complete Network team has a history of providing comprehensive, proactive cybersecurity services to help SMEs in a variety of industries defend against the latest cyberthreats. Get in touch, we’d love to answer any questions you might have and help you better secure your business.
We know that the first step toward better IT support is to research your options. We’ve put this guide together to aid you in that process.
It’s designed to give you an overview of our organization, so that you have the key information you need to evaluate our service fit.
This guide covers:
Download it for free by filling out the form here.