The Technical Bit
When logging into your network the password you enter will typically be “hashed” meaning the term you use as your password has been rearranged into a jumbled version of itself.
Passwords are entered and the hash value is extracted from a mixture of both the password and a “key” used for such purposes, using a sophisticated algorithm.
To validate a user password, it is hashed and the result compared with the existing version recorded on the network to allow access.
A hashed value cannot be converted into a readable password, but hackers may be able to figure out what the password is by continually generating hashes from guessed or commonly used passwords (using a brute force attack), until a match is found.
The more complex the password, the longer the brute-force attack will need to last, thus leaving the hacker with a decision to make, waste time on a network that has a proper Password Strength Policy in place or continue what may become an expensive, time consuming and ultimately futile exercise.
It may depend on how determined the attacker is and how valuable the information they are after is to them, or others.
So, Whats's the Fuss?
To the end-user, passwords are necessary but annoying, there are so many systems to log into and so many different passwords that need to be remembered. If left to their own devices, each users would probably have one password that is easily remembered (Name_Birthday, Name_1234, Kids Name_0000) and used for everything, but this freedom would make life difficult for Network Admin teams who are responsible for keeping the bad guys out of the company network.
The make-up of a password is important to staying safe. “A truly random eight-character password will be more secure than an eight-letter dictionary word, because brute-force attacks use dictionaries, names and other lists of words as fodder.”
As organisations grow, it’s important for Network Admin Teams to recognise the right time to introduce a proper Password Strength Policy. Implementing a robust Password Strength Policy is a key element in maintaining good cyber posture.
Weak passwords and poor Password Policies are a major contributor to successful cyber-attacks. Passwords are the first line of defence against gaining access to a network, so for this reason a strong Password Strength Policy is essential.
Failing to implement an effective Password Strength Policy transfers responsibility for safety to end users, which is unfair on them as they are focused on their work duties and do not always realise the importance of having complex passwords.
GuardYoo’s Compromise Assessment Platform delivers a full Password Strength Analysis for organisations of all sizes.
GuardYoo will highlight weak password policies and identify passwords that are among the easiest to hack using well known techniques, thus helping Network Admin Teams to recognise the right time to implement a robust Password Strength Policy.
Some Best Practice When Implementing an Effective Password Policy
Here are some key tips to consider when implementing an effective password policy for your organisation:
1. Ensure all passwords are at least 8 characters:
The longer a password is, the less likely it is to be cracked. Therefore, it is recommended that a password is at least 8 characters long, but ideally up to 10.
2. System generated passwords should be at least 6 characters:
When any of your internal systems are generating new user accounts, you should make sure that the associated passwords generated are at least 6 characters in length.
Online forums and e commerce sites should assign passwords of at least 6 characters to new users.
3. Allow for your systems to support longer passwords for increased strength:
You should make sure that your systems allow for the creation of passwords up to 64 characters. Unique passwords of this length will be extremely difficult for someone to crack.
4. Encourage the use of entire ASCII set for password creation:
Uppercase, lowercase, numbers and symbols should be included in all passwords. The use of all the ASCII set significantly decreases the chances of someone guessing a password. Passwords are much more difficult to guess when they are longer and use a greater mix of characters like uppercase, lowercase, numerals and special characters.
5. Make sure password standards are set to encourage uniqueness:
It is important not to reuse passwords across different services. Individuals should especially follow this protocol for social media and bank accounts. Password uniqueness ensures that if a hacker cracks a password they wont be able to access any other services.
6. Make sure your passwords are not already included in password lists:
There are several software packages that you can use in order to check that your password is not contained in a password dictionary. It is very important to do this before choosing a password.
7. Make use of a password manager:
Complex Passwords are certainly more secure; however, they are often forgotten as they are difficult to remember. To combat this, a Password Manager can be very useful in storing difficult to recall passwords.
8. Have randomly generated passwords:
Passwords which are randomly generated are very unlikely to be included in password dictionaries which make them difficult to guess.
9. Allow multiple login attempts before a user is locked out:
When implementing a password policy, it is important to give the user enough attempts to login. When choosing the amount of times someone can attempt to login it is important to consider the risk involved if the account is hacked. Users can often be frustrated when they are locked out after 3 unsuccessful attempts. However, to stop a brute force attack a user must be locked out at some point. For this reason, we recommend allowing 10 attempts.
10. Utilise 2 factor authentication:
There are endless ways that a password can be hacked. Therefore, it is important to have a second line of defence if a password is cracked. 2FA achieves this as when a hacker cracks a password, they still must gain access the users chosen device for the second authentication factor.
We suggest Network Admin teams send regular reminders to end users to update mobile phone numbers used for 2FA, whenever their mobile number is changed. This can prevent the headache of not being able to access a service when your authentication code is sent to an old mobile number.
Things to consider When implementing Password Policies
When implementing a password policy, it is just as important to address poor practices. See below some habits to avoid when implementing a password policy:
1. Never use a word which can be found it a dictionary:
Using a word which can be found in a dictionary makes it very easy for a hacker to guess your password, so this should be avoided. Also using a combination of words found in a dictionary is not a good idea.
2. Never keep the same password for too long:
Keeping the same password for too long should definitely be avoided. In the case that your password gets stolen, if you are changing it on a regular basis this will ensure that password can’t be used to access your account.
3. Don’t use the names of people/places you know:
It is very likely that someone trying to access one of your accounts has done research about you. Based on their findings they might try to guess your password based on people or places that are close to you. Using slight variations of these names should also be avoided as can they can be easily guessed.
4. Avoid using the same password twice:
It is very important that you use a different password for each password or service that you use. You should also avoid swapping forward and backwards between passwords if you are required to change password.
5. Don’t create a password with adjacent letters on your keyboard:
Creating a password using adjacent letters on a keyboard is not best practice as it would be very easy to guess. It is also highly likely that these would be included in password dictionaries
What About Pass-Phrases?
Sometimes it's difficult to remember long complex passwords so a pass-phrase can be a good option to remain safe.
A pass-phrase should be based on a phrase or statement that will be easily remembered.
A good option is a phrase at least 14 characters long, that swaps letters for symbols and special characters, for example - "1tsrAIn1NGcts&DGS!"
Swapping the letters in a phrase with numbers and special characters makes the password more secure.