Making passwords secure

Industry surveys claim that 81% of all hacking related breaches are caused by weak and stolen passwords. We can’t just blame the hacker because hackers are just capitalizing on the most overlooked IT security flaw … user-managed passwords.

I recently received an email article from ComodoSSLStore titled: “5 Things Every Webmaster Should Do To Keep Their Site Secure.” While they do discuss the importance of software updates, SSL/HTTPS, firewalls, and monitoring, their advice on secure passwords makes me crazy. Comodo suggests these 5 password tips:

  • Longer is better: 8 characters is the minimum, but 12 to 16+ is better.
  • Avoid common words and passwords like 123456, letmein, star wars, rainbow, etc.
  • Don’t use the same password for multiple sites. If a hacker gains access to your password via one site, they may try to use it on other sites also.
  • Passphrases can be an easy way to create longer passwords that are still memorable. For example, i*love*the*beach*in*kihei*hawaii is a very long, secure password (it would take up to 700 sextillion years to crack it), but it’s still easy to remember.
  • Use a password manager to help you remember all your long, unique passwords.

These are all good points… if we were still in the 1990’s and wanting to implement security on our Commodore 64 computer! These tips don’t work today, and these useless tips can lead to even bigger security issues because IT is lulled into a false sense of security. Here’s why:

  1. Longer is better: Size doesn’t matter if a computer is infected with keylogger malware. You can have a 500-character password and it would be no more secure than a 2 character one when the keylogger records every password keystroke the user types.
  2. Avoiding common words: This has been a key recommendation since the 90’s. However, the number one password for the last six years is still “123456”. User-managed passwords are cybersecurity’s weakest link, and it really riles me up to think that IT is still allowing employees to generate and manage passwords!
  3. Don’t reuse passwords: This recommendation has also been around for a long time. Probably some Roman Centurion had the suggestion to use a different password for each castrum (fort). Surveys suggest that the average employee manages 105 personal and company accounts, each requiring a separate password authentication. If the author of this article expects employees to remember 105 unique, complex passwords, then they are delusional. Putting the security onus onto the user is a failed strategy because employees will ALWAYS circumvent security for convenience.
  4. Passphrase passwords are for fools: Passphrases do not increase security. They only add user complexity. Expecting users to remember different phrases, then remember how they encrypted it with letter substitution, and finally remember which phrase goes to which of their 105 accounts is totally insane.
  5. Use a password manager: This has only a slight validity. A password manager can take some of the burden off the user having to remember them. However, password managers by themselves can be dangerous because everything is stored in one place. The repository becomes the honey pot for hackers.

IT needs helpful (not obsolete) advice, along with a security roadmap that keeps their networks and their jobs safe. In my book “Making Passwords Secure: Fixing the Weakest Link in Cybersecurity” (which was recommended by Chuck Brooks as “one of the top 4 must-ready cybersecurity books), I explain in great detail how to fix passwords. But for this short article, here are my Top 5 Password Tips:

  1. Take the user out of managing passwords. Public Key Infrastructure (PKI) and certificates are often cited as cybersecurity’s best practice. They aren’t. What these solutions offer over old password management practices is that the employee doesn’t know, type or manage any keys. Therefore, why not duplicate that practice with passwords. It’s less expensive on the IT budget.
  2. Centrally manage all passwords: Length is important, but so is rotation, character type and complexity. To accomplish these elements, put IT in control of generating and managing all passwords. They have the tools to create unique, long, complex passwords that can be rotated as frequently as IT wishes, without any employee involvement. Policy compliance to government regulations is easy and in full control of IT.
  3. Implement multi-factor authentication (MFA). In the same survey that sited 81% of hacked data breaches are attributed to weak and stolen passwords, they also sited that 94% of the hackers surveyed claimed MFA was their greatest obstacle to stealing logon credentials.
  4. Overlapping of security elements: Different security elements must be integrated together. The main ones are MFA, ciphers, password management, and IT centralized control. I call this: Password Authentication Infrastructure (PAI).
  5. Make security convenient: Avoid implementing individual tokens for parking garage access, building access, and computer access. Combine them all onto a single employee ID badge. It makes it easier for the user, IT and HR. Only one token to stock, issue and recall.

Here at Access Smart, we understand that many business owners are frightened of being hacked. Our product, Power LogOn, secures your most overlooked threat – employee managed passwords – so your business can stay focused on sales growth. If you are interested in solving your user managed password problem, then visit our website and schedule your free 30-minute consultation with me. I look forward to discussing how you can secure your company’s weakest link.

About Access Smart:

Founded in 2005 and headquartered in Austin, TX, Access Smart, LLC is dedicated to empowering businesses, agencies and institutions to regain control over their computers and networks at the point of entry. Authentication, authorization and non-repudiation do not have to be cumbersome to be effective. For more information, visit www.access-smart.com.

###