Jul 22 in Security Written by: 2K Networking
Passwords are an essential component of security for both individuals and organizations, but maintaining policies that are both effective and user-friendly is a struggle nearly everyone experiences. With a little bit of planning and effort, however, anyone can make their digital lives easier to manage as well as more difficult for attackers to gain unauthorized access.
Why are passwords so important?
An increasing amount of both personal and business data is being digitalized and stored on servers administered by third parties every year. The trend towards cloud computing, social networks, and computerization in general not only makes it easier for individuals to access their own information, but for others to access this same data without authorization.
Think for a moment about where the data important to you or your organization resides. Personal photos on Facebook’s servers, correspondence on Google’s servers, files on Dropbox’s servers, company documents on file servers, laptops, and many more.
All of this important data is safeguarded the same way it has been since the dawn of computing – passwords. Why is it so much more important to use secure passwords today than it has been in the past?
The first reason is the vast increase in volume and importance of information stored digitally. There is simply a larger amount of critical information, be it confidential financal documents or baby pictures, protected by passwords. The more there is to lose, the more important the security becomes.
The second reason is that the quality and effectiveness of the methods, tools, and information that attckers are using to circumvent passwords is increasing exponentially.
The most basic method of cracking passwords is simple brute force – trying every possible combination of letters, numbers, and symbols possible until the the password is found. While this has traditionally been unfeasable due to the amount of time needed to make such a high number of guesses, as computers become faster and faster the feasibility of brute force attacks increases.
There are also similar attacks that are more advanced, such as dictionary attacks which essentially use words instead of individual characters when attempting to brute force a password. The leaks of real-world password lists that have become more common in the past several years lead to highly effective “dictonaries” of words and phrases often used in passwords.
Even more sophisticated attacks can combine methods, such as taking a dictonary attack and appending a limited brute force attack. For example, a password such as “Password1234” could be guessed by combining a dictionary attack based on a list of single words and a brute force attack cycling through all possible combinations of four-digit numbers.
The scariest development in password security is that there are publicly available tools that can automate sophisticated attacks with a minimum of effort. What was once only the realm of a small group of malicious attackers is now available to anyone with an internet connection and a desire for your data.
What does a secure password policy look like?
What can be done to make it more difficult for attackers to access your data? It takes a mixture of common sense and technology to make a secure set of passwords.
The most basic rule is to use different passwords for each website, service, or device you use. This is even more important today than ever, as an individual simply cannot guarantee that any one service they use is storing their password securely. If an attacker somehow gains access to a single password used on multiple services the amount of data lost can multiply exponentially. This is especially relevant for e-mail passwords, as access to an email account can allow an attacker to reset the passwords of other services.
The next step is password complexity – length and type of characters used. Password length is extremely important, as each additional character increases the amount of time needed to brute force a password exponentially. Equally important is to avoid using common words, at least individually. ‘Mississippi’, for example, is an eleven-character password, which should take a long time to crack. Unfortunately, a dictionary attack would crack this example in no time at all by guessing entire words instead of one character at a time. Using several words together can be effective, so long as they aren’t common phrases such as song lyrics.
One often overlooked security weakness is the security questions often used for password resets. In today’s world of social networks information such as mother’s maiden name or pet’s name can often be found by a complete stranger. It is therefore prudent to come up with nonsense answers, or to write your own question that doesn’t involve information anyone else could access.
How can good password policy be implemented?
All you have to do is come up with a unique, eleven-plus character password for each of the dozens of services you use. And memorize them all. Simple, right?
The difficulty of this problem is what makes poor password policy so common. Fortunately, there are several services that can make passwords manageable.
Password managers typically run as a browser plugin, where a user logs in to the manager using a single password. The manager will then capture and save the user name and password the first time a user logs in to a site or service. From then on the credentials are automatically filled out each time the user needs to log in to a site.
The password manager will also generate and save complex, secure passwords that would typically be difficult to remember. This becomes a non-issue because the user does not need to memorize any credentials besides the master password.
Because the master password will grant access to every credential saved in the manager, it is extremely important to select a very secure master password, following the guidelines outlined earlier in the article.
Some examples of password managers are LastPass, 1Password, and KeePass. The password management utilities included in browsers such as FireFox are explicitly NOT secure password managers, as they typically store the passwords in an insecure format somewhere on the user’s hard drive.
We live in an increasingly digitalized world where more and more critical data is protected by passwords. Passwords are important to both individuals and business, and in a business it is critical to ensure employees are using secure passwords as well. While password management and enforcement have traditionally been a point of frustration, there are now modern tools to make a secure password policy a painless process.
Want to find out more information about enforcing passwords with in your business? 2K Networking can help. We can provide guidance and recommendations to utilize good password policies and enforce them within your business.