Password protection pitfalls and how to avoid them.
What’s in a name?
We are frequently reminded and prompted every time we make a new password to ensure it is ‘strong’ and not easily guessable or hackable by bad actors and hackers. Despite these warnings many people still use repeated passwords or combinations of names of loved ones and birthdays or other significant dates to make their passwords easy to remember. It’s understandable considering the sheer volume of passwords we need in the age of information; however, this information can be ‘scraped’ (gathered) by malware and human users often by using combinations of pieces of information gleamed from public profiles and social media.
In your organisational security framework, a password is a ‘key control’ and is a first line of defence against other control systems, if this key control point fails you could be vulnerable to system lockout, loss of services, data, and functionality, to name but a few.
Here we will cover some of the common mistakes that are made when making and storing passwords and some ways you can mitigate these issues and keep yours and your clients’ data safe.
Password storage and password managers
Possible solutions to the problem of the ever-expanding list of passwords and usernames you must remember are password management systems or bowser password vaults. You probably have already seen the prompts to store a password while using a browser or mobile device.
Password managers and browser stored password are useful in the fact that they allow you to store strong, complex passwords that you otherwise would not be able to remember without writing them down physically, a big no-no in password security.
These can be highly effective methods of keeping your passwords secure, but it is important to note that as they will be stored in the browser you may not be able to access them unless you are online. Also, there is a critical vulnerability here; if your master password for your browser profile such as your Google account for Google Chrome has an insecure password, you could out all your others at risk. A sensible mitigation here could be the use of Two Factor Authentication (2FA) via a mobile authenticator app or mobile or email text. Again, this would require access to another device with an internet connection.
The other option is a dedicated password manager. These can be free or paid services which store your passwords wither in a cloud server or on your local network system’s storage. These are again accessed by a master password and can be used to grant permission levels on certain passwords for different levels of access requirements for your staff.
‘How to geek’ have put together this useful post which explains the uses of a password manager in more detail, https://www.howtogeek.com/141500/why-you-should-use-a-password-manager-and-how-to-get-started/ .
The UK National Cyber Security Centre also cites these further benefits of using a password management system:
- Synchronise your passwords across your different devices, making it easier to log on, wherever you are, and whatever you’re using.
- help spot fake websites, which will protect you from phishing attacks.
- Let you know if you’re re-using the same password across different accounts.
- Notify you if your password appears within a known data breach so you know if you need to change it.
- Work across platforms, so you could (for example) use a single password manager that would work for your iPhone and your Windows desktop.
Source:https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers
Operational protocols for passwords in organisations
Passwords at all access point in your organisation need to be as secure as possible, this is essential for compliance with GDPR and considered best practice when handling and storing users’ personal information. As discussed, password managers are a great solution to the issue, especially when your staff are expected to use multiple accounts to perform their duties.
Forced expiry of passwords was considered a standard in data security up until very recently. However, the advice from the NCSC changed in 2015 and forcing expiry of passwords is no longer recommended. This is because forcing users to remember a new password frequently often led to the reuse of passwords with slight variations and increased the likelihood of using repeated passwords from other accounts, hackers would then exploit this vulnerability to access all the systems behind this password protected level. If you still have this requirement in your organisation, you may want to think about updating your policy.*
Redundant users’ passwords and all related logins should be removed as soon as possible after ensuring you will not lose access to any information or data that staffer had in their account. This is not an issue with internal networks, but van pose an issue with third party services if you aren’t using a master organisational system to create user accounts like Google for workplace.
*Source: https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry .
Password Weaknesses
It may seem simple, but it would be remiss not to cover what actually comprises a secure password, here are some bullet points to consider when making strong and most importantly, unique passwords and how to use them properly:
- The password should be
- It should be as long as is permitted in the entry box. Ideally 16 characters or more!
- It should use a mixture of uppercase, lowercase, special characters, and numbers.
- You should avoid using any part of your username within the password
- Do not use obvious patterns or sequences that are easily guessable from playing with combinations on a keypad or keyboard. For example: ‘0987654321!’, ‘QWERTY1234’.
- Do not use obvious phrases, pets’ names, dates, or words like ‘mypassword’, ‘Peter1979!’ or ‘Buttercup12’. These may seem unique to you, but it can be very easy for hackers to find this information online.
- Do not use the same passwords for multiple accounts.
- Change your passwords regularly.
- If you must store them offline, make sure they are kept in an encrypted document which should also be password protected.
- Don’t stay logged in to password managers all the time, use as needed and log out when done.
- Never share your password with anyone.
- Absolutely never share your password with anyone – this one is worth saying twice!
- Do consider using a password manager with 2FA (Two Factor Authentication) enabled.
Security controls
Passwords are one of your most vulnerable attack surfaces and you need to know if you do have a breach that your information is protected. Powerful email encryption tools Pie Security work with your existing email client and can take the hassle out of worrying about compliance. Book a Demo and find out how our email encryption solutions and compliance assessment can help you.