In my years of cybersecurity practice, it’s become increasingly obvious that one of the most powerful methods of protecting yourself and your data is to use a strong password.
This is a simple concept. Pretty much anyone who has ever used a computer is familiar with the concept of passwords nowadays, and they might even have some ideas or preconceived notions about what constitutes a strong password.
However, there are lots of ways of improving the security and “strength” of a password, like adding special characters, no repetitions, using a passphrase, adding length, etc.
I’m not even going to address those specifically, there are many resources to help with this. Instead, what I’d like to talk about is a few reasons why these strengthening steps are necessary and what motivates them.
Plain Text Password Storage Is No Good
In 2009, a company called RockYou suffered a breach. The attackers managed to exfiltrate their entire user list, including passwords. Normally this isn’t necessarily the end of the world, but RockYou hadn’t stored the passwords securely. They were in plain text.
So naturally, that list of all 14 million unique passwords was (and still is) widely distributed online, readily available for use in password guessing attacks. In fact, the list is provided out-of-the-box with every installation of Kali Linux, a Linux distribution geared towards security research.
Using special programs, anyone can use the list of passwords from the RockYou database and massage, modify, or otherwise manipulate them to create an even bigger list of passwords to check against. And with a list like this, attackers can pre-calculate hashes of those passwords to quickly identify any matching passwords they may come across.
But we can learn from RockYou’s mistake. With hashing and salting of passwords stored in a secure database this kind of attack isn’t as worrisome as it perhaps used to be.
And while it may only be of interest for historical reasons (or for security research), it still serves to illustrate why everyone needs to be using unique passwords that haven’t been used before or else it may appear on one of these lists someday.
Entropy, Not Just For Thermodynamics Class Anymore
The relative difficulty of guessing a password can be calculated and measured using a concept called “password entropy.” This is a measure of how predictable the password is and therefore how hard it would be to guess.
Highly complex passwords with lots of special characters and wide variability from one character to the next will naturally have higher entropy than an English word of the same length. However, simply using more types of characters isn’t the only way to increase entropy.
One other approach is the requirement for a certain password length that you might see as part of just about any hardening standard or framework, like PCI-DSS, CIS or NIST 800-53.
These length requirements are there to make sure that guessing the password takes a prohibitive amount of time for an attacker to do successfully. This method of increasing entropy is why some security practitioners recommend using a long passphrase rather than a shorter, more complex password.
A passphrase that is at least 15-16 characters long but makes sense to the user will be easier to remember than a password with lots of special characters that is only 8 characters long. This can also lead to better user behavior, since the users don’t have to write down their passwords on sticky notes on the bottom of their keyboard or drawer.
Password Reuse and Password Managers
You can have the strongest, most unpredictable password in the world, but if someone learns it then there’s no protection anymore. This is why it’s critical not to reuse passwords across multiple systems or services.
If a bad actor gets access to one of them and happens to be able to see or guess the passwords (thanks, RockYou!) then that password should be considered forever compromised on any and all systems. You can bet that it will find its way onto a password list and be part of future attacks.
Since remembering reasonably long, complex passwords is something that humans aren’t known for being amazing at, password managers exist to pick up the slack. The most basic are effectively password vaults, tracking your login credentials across many different systems.
But most also offer tools for creating passwords that conform to whatever the requirements are for complexity or length. This helps to generate a truly random password and obviates the need to memorize it along with all of the other passwords that are equally long and complex.
Many password managers use the concept of a master password that you DO need to remember in order to access the rest of the vault. This makes password safety and security much easier and drives better behavior by removing some of the common complaints and pain of setting and changing passwords.
Becoming and Staying Secure
Whatever your strong password may be, that’s only one part of a secure system alongside multi-factor authentication, software updates and mindfulness when it comes to phishing. It’s clear that effective security awareness programs and security-minded employees are crucial components in preventing breaches.
With ZenGRC, you can keep track of your program’s effectiveness to ensure your employees are learning the right information at the right time to keep your organization safe and your data secure. And bonus, you can also ensure you’re staying compliant with your security frameworks! That’s a win-win for both risk and compliance.
Why not give it a try? Register for a FREE live demo to see ZenGRC in action.
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.
