Password Security Awareness

Passwords have been in use for as long as people have needed to restrict access to, or prove authenticity for, something of value. The use of a word, phrase, number, or other secret piece of information to secure something else can be compared to a key for a lock.

Similar to keys, however, passwords are only good as long as they remain in the right hands and are not copied, shared, or stolen. Once a password is no longer secret, it becomes useless and what was being protected, becomes vulnerable.

The need to secure something with a password implies that it has value and as long as something has value it is a potential target to thieves and hackers.

In this Video we will go through the latest best practices for password security.

Let’s get started with some basics on password security.

Never Share Passwords

To remain secure, passwords should never be shared or given out.

Never write down passwords where they can be found by others, and never let others use your password.

Never send passwords through email.

If a password becomes known by other people, change it immediately.

Do Not Login from Systems You Do Not Control

Do not use public or unknown systems to log on to secured sites. Community systems such as library or public use PCs can be infected with keyloggers or other malicious software that can be used to capture and steal passwords.

Do Not Fall Victim to Phishing Scams

Be cautious of emails that ask you to login through a link or that ask for a password. Microsoft, Apple, and other companies will never ask for your password. If an email asks you to login with a link, confirm the request by calling or go to the site directly with a known good web address instead of using the link in the email.

Use different passwords on different sites

Data breaches are common and stolen passwords are often put up for sale on the Dark Web. Hackers then prove the validity of the stolen credentials by posting a sampling of them on the Dark Web. Dark Web monitoring services can alert you when passwords are found for sale and an alarming number of passwords are available in just the sampling alone.

When stolen passwords are found, the password must be changed immediately everywhere it is used. The best protection against breaches is to use different passwords on different sites so when a breach occurs, the exposure is limited.

Once password and login information is available online, it is used by hackers with automated tools that try to login with those credentials on thousands of other sites. When the same password is used in many places, the hackers have a better chance of success.

By using different passwords for every site, you limit your exposure to only the site that password is used on.

Change Passwords Often and Never Reuse Passwords

The same risks are involved if you rotate through and reuse passwords. It is very likely that you have a credential that has been found through a breach and is for sale or available for free on the Dark Web. If you reuse passwords or make minor changes to them such as adding a character to the beginning or end of them, you are increasing your chances of becoming vulnerable to a hack.

Never Use Personal or Published Information

Social Engineering is commonly used for Phishing scams and for password hacking. Any information that can be found about you online through social media or other places, should never be used as part of your password.

Some examples of what not to use would be:

Age, Birthday or any other significant date

Zip Code, Address or any other Postal or location information

Name, maiden name, initials, pet’s or children’s names or any other names personal to you

Phone Number or Social Security Number

How Passwords are Cracked

Hopefully by now, everyone knows not to use passwords like password, 123456, and qwerty. Just as important, you should never use common words alone as your password. To understand how to create strong passwords, it is important to know how passwords are cracked.

Hackers use sophisticated tools and algorithms to crack passwords. So called Dictionary crackers will go through common words and phrases along with common passwords to crack simple passwords in seconds or minutes.

The recommendation used to be to add special characters, numbers, and mixed capitalization to strengthen passwords by making them more complex, but computing power has made that practice less of a factor.

More sophisticated tools use complex algorithms to try every conceivable combination of letters, numbers and special characters to crack a password.

Back in 2012, it was demonstrated that an 8-character, complex password can be cracked in as little as 6 hours.

The only defense is to lengthen the time it takes to crack a password and that is done by lengthening the password itself.

Since most systems will accept passwords that are 20 characters long, that is our current recommended length. A 20-character password takes an estimated 35 quintillion years to crack with current technology and cracking tools.

The time it takes to crack a password will continue to go down as the tools used become more sophisticated and computing power increases.

The reality is, that given enough time, any password can be cracked.

Using Phrases to Remember Passwords

The trouble with creating longer passwords is that they are harder to remember.

One method for creating passwords with complexity and length that can still be easy to remember is by using phrases for passwords and mixing in letter cases, numbers, and special characters.

For example, if the phrase is “do the hard things first” the complex variations could be one of the variations shown here:

These examples meet the password complexity requirements and are a good length while being easier to remember than a random string of characters.

Use a Password Management Tool

A password management tool can be used to generate and store passwords, making it much easier to have passwords that are the proper length, complexity, and unique to every site. These passwords can then be viewed and copied for use in local applications or used to launch and securely login to online sites.

Here is an example of an auto generated and stored password that would be difficult to remember or use manually but easy to use with a password management tool.

Added Security Measures

Using password in conjunction with other security measures further strengthens cyber security.

Using technologies like Virtual Private Networks and Two Factor Authentication add to security by encrypting transmissions and adding a second verification method.

These measures add to overall security but still require the use of strong passwords to be effective.

Password Security Recap

The Don’t List

  • Don’t share passwords
  • Don’t login from unknown systems
  • Don’t fall victim of Phishing scams
  • Don’t use the same password everywhere
  • Don’t reuse passwords or make small changes
  • And … Don’t use personal information

For The Do List, we have

  • Do create long, complex passwords
  • Do Change Passwords Often
  • Do Use Phrases to help remember passwords
  • Do use a Password Management System
  • And … Do use VPNs and Two Factor Authentication Where Possible

Thank you for watching our Password Security awareness video.

Contact us for more information about our services including, awareness training, threat simulations, network assessments, dark web monitoring, password management, and more.