Is password security awareness dead?

Is there ever a bad time to talk about password security awareness? With the discovery of GoldBrute and its penchant for forcing its way into some 1.5 million RDP servers, we think not. Are RDP servers not a concern for you? Perhaps the five million attempts to hack into an IP cam near you will pique your interest.

Creating a strong password can protect you from more digital heartache than just about any other single security measure. This fact naturally leads to two important questions:

• What makes a password insecure?
• How can you use that knowledge to make a resilient password?

What’s in a password?

Passwords are a still a huge asset. At one point, they were even a decent means of security in their own right—but times have changed. The problem with passwords in the modern age lies with their simplicity. They are, after all, simple strings of characters. Since everyone has access to that same set of characters, a password’s security comes solely from the (hopefully) unique arrangement of those characters.

Given enough time, anyone—or more likely a brute-force program—can discover that sequence. And computers have reached a point where their sheer processing power can crack simplistic passwords in mere seconds. While creating a strong password is the obvious answer here, simple, easily hackable passwords are still too much of a temptation, according to CNN Business’ list of the most common offenders. In fact, more than 23 million accounts rely on the complexity of “123456” to protect their goods—so much for password security awareness in business.

Here’s the full list of the 10 most common passwords:

• 123456
• 123456789
• qwerty
• password
• 111111
• 12345678
• abc123
• 1234567
• password1
• 12345

It doesn’t take a cryptologist to see the problem with these. But what should you do?

Create stronger passwords

If the password on the above list are the kind of security people rely on, it’s really no wonder why brute force attacks are so popular. To avoid these common passwords and the pitfalls they represent, you’ll need stronger password. Here’s how:

• Avoid using actual words in any part of your password
• Avoid numbers in sequence
• Avoid using the same password for multiple services
• Do use a combination of upper-case and lower-case letters, numbers, and symbols
• Do use at least 8 characters. The longer, the better
• Do regularly replace your passwords with new ones

However, you probably have many accounts that each require a username and password, so trying to commit more than a couple of these to memory could be rather frustrating. Luckily, an entire class of applications has arisen to help you keep your passwords in top shape. Services like LastPass, for example, can remember all your passwords for you. As long as you’re signed in to the browser extension, the service will remember and autofill your credentials when you log in on a website. With built-in random password generators, you can instantly make a unique 50-character string and never need to remember more than your device unlock code and your Lastpass password. This method virtually eliminates the possibility of someone remotely brute-forcing their way into your account.

Consider multi-factor authentication (MFA)

Ultimately, passwords are insufficient by themselves. Even with the most random string of characters, rainbow tables and dictionary attacks can still get lucky. Feel free to check out cybersecurity expert Troy Hunt’s website and see for yourself if you’ve already “been pwned.” To be truly secure, you need a better strategy.

Fortunately, a better strategy presents itself quite plainly: You should use more than just a password. For doubly strong authentication, an account should require something that you know and something that you have in order to prove your identity. A strong password would fit the bill for something you know. Wherever possible, configure two-factor authentication to send confirmation to your phone—something only you would have—when a sign-in is attempted.

In this example, a hacker would need to know both the credentials to the account they’re trying to crack and have physically stolen and unlocked your cell phone, which is a highly unlikely scenario.

Think even bigger to stay secure

Finally, since password hacking isn’t the only way the bad guys can pilfer your digital goods, it’s also important to complement your newfound password prowess with security for the endpoints where you use them. While we don’t have time to outline the “how” for securing endpoints here, a good place to start is opting for devices with baked-in security, like HP’s secure printers. Doing so can provide an instant backup for any password insecurities.

To sum things up: Make sure your passwords are long, random, constantly changing, and never the sole point of failure in the event that a hacker gets their hands on one. Doing so will help to keep you safeguarded against digital ruin.

used with permission from Tektonika (HP)
by Joe Hewitson