4th May 2023
World Password Day
Started in 2013 by Intel, World Password Day is designed to raise awareness of the role strong passwords can play in securing our digital lives. Now more than ever, with the increasing frequency and sophistication of cyberattacks, it has become essential for individuals and organisations to keep up with best practices for password management. Although strong passwords are not a cure-all for making your organisation Cyber Resilient, they are still one of the best security measures. However, technology and cyber-criminals approaches are ever-changing, meaning advice can change over time.
Today we want to help raise awareness, not only on what is good advice for strong passwords in 2023 but also the reason why. So here are a couple of ways cyber-criminals get hold of passwords and how to defend against them.
In brute-force attacks, an attacker leverages high-speed computing power to try every character combination to break a password or password hash*.
Hive systems’ research gives an idea of the time frame to brute-force a password with that year’s technology. According to their 2023 table, the time to break a complex (numbers, upper and lowercase letters, and symbols) 8-character password in five minutes, and a 14-character complex password should take 1 million years to brute-force.
So, the longer a password, the longer it can take to be brute-forced; the same goes for the complexity of a password; the same 8-character long password, just using lower case could be brute-forced in less than a second, and a 14-character password in about a year.
Consider the growth of computer power and access to powerful cloud computing instances and think ahead; the same 8-character password now down to 5 minutes would have taken around 8 hours to crack six years earlier.
So, to defend against brute-force attacks, a password should be long and complex.
*Passwords do not usually get transferred across a network or the internet; typically, an application converts the password using a special one-way algorithm into a password hash, so the password-checking function only checks that the received password hash is the same as the stored password hash.
Phishing is where an attacker deceives people into revealing information or performing an action. A phishing attempt could be simple (designed to capture the one person in a thousand who doesn’t spot the danger) or complex and very carefully targeted (even security professionals fall for phishing!). One purpose of phishing is to lead people to fake login pages that harvest their passwords.
Keyloggers come in many forms and have legitimate uses. Still, in this context, an attacker might use malware to read and store all the keystrokes on a computer, capturing passwords and sensitive information.
Passwords gained from phishing, keyloggers, and breaches all tend to find their way into large password lists, used to either speed up brute-force attacks (dictionary attacks) or can be used to speed up the breaking of password hashes.
A compromised password is likely to be used in further attacks; if associated with an identity (an email, for example), any related accounts could be in danger if they use the same or similar passwords.
A good defence against compromised passwords is to use a new password for every account. It will not save the breached account but protect your other accounts.
Enforcing a password policy across every account a user needs to do their daily jobs is almost impossible. It is also difficult for users to remember multiple 14-character complex passwords. Users may use bad practices, like a breach of policy, reusing passwords, writing passwords down next to workstations, or saving them in documents.
- There are lots of ways to help users and defend against bad practices:
Help users by using single sign-on (SSO) services with an account that can use them and password managers for everything else. These will help users have different and complex passwords* - Consider scraping regular password updates; they encourage enumeration (adding a number to the previous password); this is almost as bad as reusing the same password, as many dictionary attacks will enumerate previously breached passwords. Save the password resets for when passwords are compromised or forgotten.
- When single sign-on and password managers are unavailable, one option is to advise users to use the three random words technique, which uses three random words to build a password, using symbols and numbers in a way that is easy to remember. This middle ground will generate long, complex, and easy-to-remember passwords, protecting against basic brute-force attacks but could speed up specialised dictionary attacks.
*There is a danger here that these systems if compromised, can result in multiple account compromises. Most single sign-on and password managers have extra layers of security built in because of this. Still, users should ensure they use a strong password for the master account when using single sign-n and password managers.
Takeaways
Individuals and organisations can enhance their cybersecurity by following these best practices for passwords and password policies:
- Use single sign-on first and foremost
- Create long, complex passwords (14 characters with symbols, numbers, and upper and lower case); store them in a password manager
- Use the three-word technique when no password manager is available, and you believe you may forget the password
- Always use a new password with every account
- Changing passwords should be reserved for compromised or forgotten passwords
In addition to the above, the following best practices can complement strong passwords:
- Enable multi-factor authentication where you can
- Regularly check the current password advice as it changes over time
- Regular security reviews or audits
- Education and awareness training, understanding why something is a good idea, means people are more likely to comply
- Tailor your policies to your organisation. The above is good general advice, but something more specific might suit your organisation better
Further up-to-date advice can be found at: https://www.ncsc.gov.uk/collection/passwords/updating-your-approach.
Each year on the first Thursday in May, World Password Day promotes better password habits and provides a timely reminder to evaluate our cybersecurity. If you need any advice, please get in touch. If you are a Millennium+ customer, hours can be used to access our Cybersecurity expertise.