Password Hygiene and Policies

Introduction to password hygiene

Our ideas and knowledge about secure passwords have evolved over the last five years. In this post, I’ll talk about password hygiene and policies that may help you create stronger passwords and fortify the security in your environment. First, forget everything you’ve been taught about passwords. Second, it’s important to understand that length and passphrases will beat out short technical heavy passwords every time. And last, but definitely not least, it’s important to never reuse passwords and to be aware of NIST (National Institute of Standards and Technology) cybersecurity standards.

Forget what you’ve been taught about passwords

There is a need to get rid of the practice that’s been engraved in our brain about using hard-to-read passwords (P@$$\/\/0|2D) Instead, we need to adopt a passphrase mindset. The reason the new recommendation to using phrases instead of a single word is due to math, the longer the phrase used, the more time it would take for an attacker to guess or brute-force your passphrase. More about the math below.

A good phrase has three or more words that are unrelated and not easily guessed, something similar to “Walk bread tripod fence.” The reason you want unrelated words is to avoid something easily guessed since none of the words are ever really found together in a single phrase. Some people find that using a set of physical dice will help them generate truly random phrases. Read more on dice theory on this site.

Password managers are crucial to the success of such passphrases since it’s going to be very difficult and tricky to remember a myriad of logins to various sites that have a long passphrase. Password managers are a virtual vault to store all your secure passwords in one location that are secured by a master passphrase of your choosing. There are too many to list here, but if you were to search the internet for “password manager,” you’ll surely find enough to keep you busy.

There are various websites that are used to check the strength of a passphrase, and most of them I wouldn’t trust to input an actual password, but merely as a demonstration only. Use this website to give you a strength test. This site offers another variation of a similar type of test.

Why use a phrase? Some math involved

password hygiene includes longer passphrases

To better understand the math behind the length of a passphrase being more useful than complexity, this site breaks down how length, in order of magnitude, is more difficult to crack than complexity. This data is a few years old, but it’s not about relevance here. The method used to generate this list is brute force:

  • Brute force 8 all lowercase characters: 3.5 minutes to guess
  • Brute force 9 all lowercase characters: 90 minutes to guess
  • Brute force 10 all lowercase characters: 39 hours to guess
  • Brute force 11 all lowercase characters: 42 days to guess
  • Brute force 12 all lowercase characters: 3 years to guess

Using a single GPU (not top of the line) I’m able to make ~7,300,000,000 guesses a second for MD5 hashes.

Updated password guidelines from NIST (National Institute of Standards and Technology)

NIST recently (in 2017) updated their password guidelines to contradict their previous guidelines from 2003. The changes we’re interested in were the ones that moved from complexity to length.

Jeremy Cox, a native security researcher to Utah, recently spoke at a security conference concerning “Password Standards.” He broke down the aforementioned NIST guidelines:

  • NIST removed periodic password change requirements.
    • This means keeping passwords around for longer than six months causes users fatigue, forgetfulness, and laziness in creating new passwords with similar complexity.
  • Drop complexity requirements (and use length instead).
    • Entropy is not increased enough to warrant including complexity
      • P@$sw0rd vs Password doesn’t increase security enough to warrant needing to use the symbols over an increased length.
    • Makes it harder to remember and more likely to be written down.
  • Check potential passwords against known compromised ones.
  • This site is a  fantastic resource to check out.  
  • I don’t recommend putting plain-text passwords into random sites, but of all the sites I’ve seen, I trust Troy Hunt (creator of have i been pnwed) to not be someone in the business of using your personal info for a quick gain.
  • Stop using password hints.
    • These methods are weaker than your actual password and are easily guessed. Many users’ accounts have been compromised via this method.
  • Stop using knowledge-based authentication (i.e. things you know).
    • What street did you grow up on?
    • What was the name of your first pet (“Now You See Me” anyone?)
    • Social media is a treasure trove of this very type of information.
  • Start using two-factor authentication (i.e. password + something you have).
    • Use a dedicated authenticator app.
    • Avoid using SMS as a form of two-factor as this has easily been exploited.
  • Use a password manager.
    • This helps keep each passphrase unique and secure.

Sometimes there’s nothing you can do to protect your passphrase

When it comes to ensuring your passphrase is strong, sometimes it doesn’t matter because the service you’re using is hacked or compromised.

  • Facebook just recently had 50 million user accounts stolen
  • Under Armour had 150 million accounts stolen
  • Equifax had 148 million records stolen
  • 8Tracks had 18 million accounts stolen
  • Apollo had 129 million accounts stolen
  • Pemiblanc had 111 million accounts stolen
  • VNG had 163 million records stolen

All occurred in 2018 and there are ~300 more found at have i been pwned.

Never reuse passwords

This is the main reason to never re-use ANY password anywhere else. If you have a single password across multiple sites, and it is compromised in one location, now all of your accounts are at risk.

Monkey See Monkey Do

 

You’ve all heard the phrase, “Monkey See Monkey Do,” right? Did you know that monkeys are actually very intelligent creatures and it would serve you well to put into practice some if not all of the things I’ve discussed today? After all, even when you have done everything you can to protect your network, sometimes comprise still happens. However, it’s still best to secure your environment to the best of your ability now… as they say…hope for the best, but plan for the worst.

Your email address will not be published.

Your Name