Pictured here is the wi-fi password of my accommodation provider this winter. True. Story.
We all know that passwords are the first line of defence in protecting our information. I can hear you sighing right now (and was that an eye-roll?) when you consider how many passwords you are currently managing to keep your data safe. Current rules for most companies typically consist of these points:
- Ensuring complex passwords, e.g. needing to include numbers, special characters, and
upper/lower case letters. - 8-10 characters.
- Forcing a password change regularly (often 90 days).
- Requiring new passwords not previously used by the user.
Interestingly though new best practice guidelines are emerging.
Complex isn’t necessarily strong
Due to their complexity, we re-use the same passwords for multiple accounts, potentially creating a larger problem. For example, when our Facebook account is hacked and the same password accesses your Netflix, your bank account and a confidential database at work.
The longer the better
Often legacy systems were restricted to 8-10 characters for passwords, or 8-10 characters was the minimum that users were expected to remember. Best practice now suggests allowing for pass phrases of up to 64 characters in length.
In a study the strength of a complex password—”Tr0ub4dor&3”—and a long passphrase—“correct horse battery staple” were compared. It was found that it took only 3 days to guess the password created with special character substitutions, while it was estimated the passphrase would take 550 years to crack.
Do away with the regular password change
Yes! I know you can get onboard with this one straight away. The experts now agree that the 90-day password change tends to lead towards poor security habits, the adding of an incremental number or character at the end of an existing password. Best practice guidelines are now saying to only change your password if you believe it has been compromised, or – in the case of shared databases – when someone leaves the organisation.
Password testing
Stolen or weak passwords are still the most common reason for data breaches. Steer clear of the obvious, 12345, password1, or personal details like family member names and your favourite band.
Britain’s National Cyber Security Centre has published a list of the 100,000 most commonly breached passwords worldwide. Surprisingly (or not surprisingly??) ‘123456’ was the most frequently hacked password. ‘Ashley’ was the most widely breached name and Blink-182 also made the list. The list can be viewed here: https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordTop100k.txt
For businesses some tools can check passwords in Active Directory against common password lists and custom password blacklists you have defined.
Arrange regular employee training
Many breaches occur because of negligent or untrained employees opening phishing emails.
Regularly train employees to detect these and avoid phishing and other social media attacks. Keep them up to date on commonplace password practices. Check in with employees to make sure they have a pin/password on their phone and other devices.
Visit https://www.cert.govt.nz/ and search ‘password’ for some homegrown and up-to-date articles and guides on password policy you can implement.
CERT NZ works to support businesses, organisations and individuals who are affected (or may be affected) by cyber security incidents. They provide trusted and authoritative information and advice, while also collating a profile of the threat landscape in New Zealand.