Home > CCCTechEDge Article, Security > Security Matters: Password Security

Security Matters: Password Security

September 24, 2016 Leave a comment Go to comments

Password. That’s a cringe-inducing word. What a pain; you constantly need to change your passwords. You have to use mental gymnastics to remember all of them, and don’t get me started on special characters. I hate passwords.

Yes, I am the Chief Information Security Officer of a large organization, and I can admit I hate passwords just as much as anyone else. Now, I know they are extremely important but, in my opinion, they are often mismanaged.

When IT administrators put so many restrictions on passwords, we actually drive people to even more dangerous practices—like writing down your passwords on a sticky note, and using the same password for all the things we log in to. Although often-hated passwords are a necessity, I would like to explore passwords and prove the pain can be eased.

Password vs. Passphrase

First, let’s take a look at password complexity. The default Microsoft Windows password policy requires eight characters, including one uppercase letter, one lowercase letter, one number and one special character. By this rule, “Password1!” is an acceptable password. Unfortunately, from past experience, this is exactly the kind of password I see being used. It follows the pattern: an English word, a number, and a special character, in that order.

Explaining the reasons why this approach is unsafe will be the subject of another article but rest assured, with this type of password, if there is a security compromise, the attacker can often get the plain-text password of a large majority of an organization.

A much better approach to ensuring password security is to remove the complexity requirements and instead require much longer passwords called “passphrases”. I know what you are saying. “I have to remember a longer password and that is better!?!?” Hear me out: Yes, it is. A passphrase is easier to remember.

Think about it. Which would be easier to remember, the password, “HaRdS1#!”, or the passphrase, “I like the flowers in the springtime?” I think we can all agree the second one is much easier to remember, because this is how our brains are wired. A plain-English phrase is something we have been memorizing since childhood.

Something that is not obvious unless you are a mathematician is that the passphrase is also much more secure. It is harder to break once the password is scrambled into the form it is stored on the computer. An attacker can brute force an eight-character password in just about a day, but a 15-character passphrase would take a near infinite time with the computer power available today.

Passwords In Practice

Now, let’s take a look at password re-use. I know it is tempting to come up with a good password and use it on all the websites we use. This is a dangerous practice because websites are being breached on a daily basis, and passwords are not always stored securely. There have been many large sites that have had breaches with all their user accounts compromised and publicly posted on the web.

Take a look at the website haveibeenpwned.com. This site will show you if your account has been compromised by some of the more recent public breaches. The danger is that once your email address and password are exposed, criminals can use it to try to log in to other sites. For example, if your Dropbox password is the same one you use for online banking then you should change it immediately, as Dropbox had a breach back in 2012 that has just now been discovered.

This is why I recommend the use of a password manager. The one I use is LastPass but there are several excellent ones out there. The idea of a password manager is that it will generate a unique random password for each website that you need to log in to. There is one master password that you need to remember to unlock all the other passwords. This password is used to encrypt all the passwords so they are only ever useable once you have unlocked them with your master password.

Therefore, a password manager lets you have unique passwords for each site while only needing to remember one password. If one of your accounts is ever compromised, the attacker won’t be able to use your password on another site to perform some nefarious activity. All you have to do is visit the site that was compromised and use the password manager to create a new secure, random password.

Two Steps Are Better Than One

Finally, let’s look at two-factor authentication. Two-factor authentication uses something you have, which can be a device you plug in to your computer, a text message that is sent to your phone, or an application on your phone, to authenticate.

This, in my opinion, is the ultimate solution. You can let everyone use a much easier-to-remember shorter password, and if it is ever compromised the attacker still can’t get into a system without the device that you carry with you.

For example, someone gets your username and password for your bank account, but you have two-factor authentication set up. So, now when the attacker tries to log in to your bank account, you get a notification on your phone that someone is trying to log in to your bank account, and the mobile app asks you to press the “Confirm login button” to allow the login to continue.

Since you are not trying to log in to your bank account, you would just click “No” on an app, and go change your bank password. With the disaster averted, you can now contact your bank and report the incident, knowing your hard-earned money is still safe.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: