• Product
      • circleROAR Platform
      • cogwheelZenComply
      • lockZenRisk
      • globeZenGRC Platform
      • chartRisk Intellect
      • kes tagPricing
    • Solutions
      • By Industry
        • TechnologyTechnology
        • Financial ServicesFinancial Services
        • HospitalityHospitality
        • HealthcareHealthcare
        • GovernmentGovernment
        • Higher EducationEducation
        • retailRetail
        • MediaMedia
        • InsuranceInsurance
        • ManufacturingManufacturing
        • Oli & GasOil & Gas
      • By Framework
        • PopularPopular
          • ISO
          • PCI
          • SOC
          • COSO
          • SSAE 18
        • PrivacyPrivacy
          • CCPA
          • GDPR
        • HealthcareHealth Care
          • HIPAA
        • GovernmentGovernment
          • NIST
          • FedRAMP
          • FERPA
          • CMMC
          • FISMA
        • FinanceFinance
          • SOX
          • COBIT
    • Success
      • customer-successCustomer Success
    • Resources
      • Resource CenterResource Center
      • Reciprocity CommunityReciprocity Community
      • NewsroomNewsroom
      • EventsEvents
      • BlogBlog
      • Customer StoriesCustomer Stories
      • Content RegistryContent Registry
    • Company
      • About UsAbout Us
      • Contact UsContact Us
      • CareersCareers
      • Leadership
      • Trust CenterTrust Center
      • PartnersPartners
      Get a Demo

        Cybersecurity Awareness Tip: Using Strong Passwords

        Published January 27, 2023 • By Nick Brown, Technical Product Manager • Blog
        Cybersecurity tip: Use strong passwords

        In my years of cybersecurity practice, it’s become increasingly obvious that one of the most powerful methods of protecting yourself and your data is to use a strong password.

        This is a simple concept. Pretty much anyone who has ever used a computer is familiar with the concept of passwords nowadays, and they might even have some ideas or preconceived notions about what constitutes a strong password.

        However, there are lots of ways of improving the security and “strength” of a password, like adding special characters, no repetitions, using a passphrase, adding length, etc.

        I’m not even going to address those specifically, there are many resources to help with this. Instead, what I’d like to talk about is a few reasons why these strengthening steps are necessary and what motivates them.

        See also

        [Webinar] Powerful Cybersecurity Lessons from the Movies

        Plain Text Password Storage Is No Good

        In 2009, a company called RockYou suffered a breach. The attackers managed to exfiltrate their entire user list, including passwords. Normally this isn’t necessarily the end of the world, but RockYou hadn’t stored the passwords securely. They were in plain text.

        So naturally, that list of all 14 million unique passwords was (and still is) widely distributed online, readily available for use in password guessing attacks. In fact, the list is provided out-of-the-box with every installation of Kali Linux, a Linux distribution geared towards security research.

        Using special programs, anyone can use the list of passwords from the RockYou database and massage, modify, or otherwise manipulate them to create an even bigger list of passwords to check against. And with a list like this, attackers can pre-calculate hashes of those passwords to quickly identify any matching passwords they may come across.

        But we can learn from RockYou’s mistake. With hashing and salting of passwords stored in a secure database this kind of attack isn’t as worrisome as it perhaps used to be.

        And while it may only be of interest for historical reasons (or for security research), it still serves to illustrate why everyone needs to be using unique passwords that haven’t been used before or else it may appear on one of these lists someday.

        Entropy, Not Just For Thermodynamics Class Anymore

        The relative difficulty of guessing a password can be calculated and measured using a concept called “password entropy.” This is a measure of how predictable the password is and therefore how hard it would be to guess.

        Highly complex passwords with lots of special characters and wide variability from one character to the next will naturally have higher entropy than an English word of the same length. However, simply using more types of characters isn’t the only way to increase entropy.

        One other approach is the requirement for a certain password length that you might see as part of just about any hardening standard or framework, like PCI-DSS, CIS or NIST 800-53.

        These length requirements are there to make sure that guessing the password takes a prohibitive amount of time for an attacker to do successfully. This method of increasing entropy is why some security practitioners recommend using a long passphrase rather than a shorter, more complex password.

        A passphrase that is at least 15-16 characters long but makes sense to the user will be easier to remember than a password with lots of special characters that is only 8 characters long. This can also lead to better user behavior, since the users don’t have to write down their passwords on sticky notes on the bottom of their keyboard or drawer.

        Password Reuse and Password Managers

        You can have the strongest, most unpredictable password in the world, but if someone learns it then there’s no protection anymore. This is why it’s critical not to reuse passwords across multiple systems or services.

        If a bad actor gets access to one of them and happens to be able to see or guess the passwords (thanks, RockYou!) then that password should be considered forever compromised on any and all systems. You can bet that it will find its way onto a password list and be part of future attacks.

        Since remembering reasonably long, complex passwords is something that humans aren’t known for being amazing at, password managers exist to pick up the slack. The most basic are effectively password vaults, tracking your login credentials across many different systems.

        But most also offer tools for creating passwords that conform to whatever the requirements are for complexity or length. This helps to generate a truly random password and obviates the need to memorize it along with all of the other passwords that are equally long and complex.

        Many password managers use the concept of a master password that you DO need to remember in order to access the rest of the vault. This makes password safety and security much easier and drives better behavior by removing some of the common complaints and pain of setting and changing passwords.

        Becoming and Staying Secure

        Whatever your strong password may be, that’s only one part of a secure system alongside multi-factor authentication, software updates and mindfulness when it comes to phishing. It’s clear that effective security awareness programs and security-minded employees are crucial components in preventing breaches.

        With the Reciprocity® ROAR platform, you can keep track of your program’s effectiveness to ensure your employees are learning the right information at the right time to keep your organization safe and your data secure. And bonus, you can also ensure you’re staying compliant with your security frameworks! That’s a win-win for both risk and compliance.

        Why not give it a try? Sign up for our FREE trial of the Reciprocity ROAR Platform. No credit card required, unlimited time to explore. Or register for a FREE live demo to see ROAR in action.

        Why sign up for the Risk Insiders newsletter?

        To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.

        Thank you for subscribing to the Risk Insiders newsletter!

        Recommended

        Image
        Your Security Approach Could Be Putting Your Business at Risk
        taking a risk-based approach to business security
        Security

        Your Security Approach Could Be Putting Your Business at Risk

        Read more
        Image
        Cybersecurity Awareness Month: Enable Multi-factor Authentication
        Cybersecurity Awareness Month: Enable Multi-factor Authentication
        Compliance

        Cybersecurity Awareness Month: Enable Multi-factor Authentication

        Read more
        Image
        Cybersecurity Awareness Month: Don’t get Caught! How Phishing Attacks Ca...
        Cybersecurity Awareness Month: Phishing
        Compliance

        Cybersecurity Awareness Month: Don’t get Caught! How Phishing Attacks Can Sink Your Organization

        Read more

        Discover the Power of the Reciprocity ROAR Platform

        Get a Demo
        Reciprocity Logo
        Product
        • ROAR Platform
        • ZenComply
        • ZenRisk
        • ZenGRC Platform
        • Risk Intellect
        • Pricing
        Solutions
        • Industries
        • Frameworks
        Success
        • Customer Success
        Resources
        • Resource Center
        • Reciprocity Community
        • Newsroom
        • Events
        • Blog
        • Customer Stories
        • Content Registry
        Company
        • About Us
        • Contact Us
        • Careers
        • Leadership
        • Trust Center
        • Partners
        Contact Us
        Contact Us

        © 2023 All rights reserved

        Privacy Policy