While there seems to be a push on by some of the big players like Microsoft, Apple and Google to go “passwordless”, the reality is that we still need passwords in most areas of our lives; whether personal or business. Passwords seem to be one of the most annoying things to users.
- Users hate to have their computers locked after idle time because they need to type their password to get back to their desktop.
- Users hate changing passwords.
- Users hate having make complex passwords.
- We all know that users use the same or similar passwords across multiple places they’re required because “remembering all those different ones is so hard if not impossible!”
Are you a typical user? Let’s delve into why this little annoyance is a necessary evil to be mastered.
In 2022, Microsoft tracked 1,287 password attacks per second! Too many of those attacks are successful breaches. According to Verizon, 86% of initial attack access is through compromised credentials. If you want to see if any of your passwords have been breached, check out have I been pwned. While there, scroll the page to note some of the numbers and locations of breached information.
So, now that we have your attention; how do we avoid being one of the statistics? There are some fairly simple habits you can develop. The National Institute of Standards and Technology (NIST) provides comprehensive guidelines for creating and maintaining strong passwords which is rather technical, but let’s boil it down to some easy key principals.
- Length Matters – minimal requirements of 8 – 12 characters are nothing when automated brute force and hybrid dictionary attack tools are used against them. By increasing passwords to 16 characters or more, the length of time to crack jumps dramatically simply due to the increased number of possible combinations.
- Complexity Ramps It Up – by mixing in capitals, numbers and symbols, the combination possibilities are bumped up again. However, beware: LEET is an early hacking tool that replaces letters with numbers and symbols, so try not to be too obvious.
- Stronger with Passphrases – passphrases can be easier to remember (for those you need to type with any regularity) such as your computer or apps that timeout in a few minutes. String together some random, but memorable words for the best effect. For example, “AutumnReds&Yelowz”. Mix up your caps, throw in some numbers and more symbols and you’ve got a pretty good password that currently could take up to 205 trillion years to crack. (See chart below)
- Stay away from Common Words and Combinations. As noted in #2 and #3, you want to be different. Patterns are another way that users create passwords: repeated characters, patterns on a keyboard or number pad such as “qwerty” or “1793”. Series are frequent as well: “abcd” and “1234”. Do not use the word “password”! If you’re still not sure what a weak password is, check this list out.
- Change It – As much as it can be an annoyance, suffering a breach is much more painful. If you receive a notice that your credentials may have been compromised, of course the first thing you want to do is change them to something brand new and unique. But, even if there has been no word of a compromise, changing your password periodically can still protect you. According to data compiled by Varonis the average time to identify a breach in 2021 was 212 days. Getting to remediation and reporting can take significantly longer, so you may have been compromised and not even know it yet. Because of the value of data, cybercriminals are highly motivated to remain undetected on a network.
- It’s Good to be One-of-a-Kind – if your passwords are truly unique and not slight adaptations of others you use, then you really decrease your exposure if one is compromised. One of the tactics cybercriminals use is to take known credentials and test them on every account possible. Do you see the problem? So, if you get a notice that an account has been breached and you use the same password for multiple accounts, it’s time to set new, unique, long, complex passwords on each of them.
- Maybe it’s Time for a Password Manager – if you’re doing passwords right, the average human brain will have an extremely difficult time remembering them all. Now might be the time to consider a proper password manager. Browsers offer to store and “protect” passwords, but user beware: you want to first ensure that your account that protects those passwords is secured with a long, complex, unique password. Additionally, that account should not be one that other accounts have been granted access to (to login automatically), and should have an extra layer of protection by MFA.
As computing power increases, expect the ability of automated tools to be able to crack passwords more quickly. It’s difficult to believe that anything is truly unbreakable. However, if you’re the toughest nut to crack, it’s more likely that more vulnerable accounts will fall prey instead. It’s kind of like not needing to be the fastest runner to outrun the bear, you just need to be faster than anyone else there.
So, passwords are still necessary and foundational to all digital security. Make sure your foundation is solid and secure. October is Cybersecurity Awareness Month and we’ll be addressing other aspects of cybersecurity in coming weeks. As an MSP, we work to train our clients to be as secure as possible. We offer a platform for training end-users, documenting policies and compliance. Contact us to learn more.
The chart below is from Specops and shows just how length and complexity of passwords makes them so much harder to crack.