Password Security Tips

The modern internet runs on authentication. Safe and effective use of computer applications is based on the idea that your data is tied to your identity, and your identity is verified with some form of authentication – usually a password. For most people, this doesn’t seem very exciting, but for an attacker, it’s an essential component of any attack campaign. As offensive security professionals, we often find that using legitimate credentials is the easiest and most efficient method of gaining access to networks. Unfortunately, in terms of risk, passwords present one of the most challenging and pervasive areas for individuals and organizations alike. In order for passwords to be effective and protected at the same time, a balance must be struck. Using the following tips and tricks can help you determine how to leverage strong security principles for any threat model or level of technical expertise.

Password Length

When learning about password security, the most common thing people hear is that long passwords are better than short ones. As a general rule, this statement is true, depending on what you consider “better.” Longer passwords are certainly harder for an attacker to guess. Often, attackers use a “brute-force” strategy in which they cycle through every possible combination of characters until they succeed. However, an attacker targeting a specific person is likely to benefit from long passwords because users are more likely to use common words or phrases that sacrifice randomness for convenience.

As with all of these tips, the length of a password comes with a trade-off between usability and security. Unfortunately, in most cases, complexity is prioritized over length.

Password Complexity

Most people think of password complexity as randomness, but technically it is determined by the number and types of characters (or keyspace) that can be used. So when a website asks you to include special characters or capital letters in your new password, it forces you to increase the keyspace.

Only 26 characters need to be guessed if you only allow lower-case letters. If you use upper- and lower-case letters, the keyspace, and number of possible characters that can be used, jump to 52.
This does not simply double the number of possible password combinations. A string of eight characters with 26 letters produces 13,884,156 unique results, but an eight-character string with 52 letters yields 2,217,471,399 possible results. By adding the ten digits, we reach 13,442,126,049 combinations. In fact, with a keyspace of 26 letters, it would take a 14 character string to reach the same number of possible combinations as an eight-character string of 66 possible characters.

Complexity is one of the most powerful ways to increase password security. However, it comes at a cost. Complicated passwords are difficult to remember, and remembering more than one can be more or less impossible. In many cases, a person will remember one password and use it everywhere.

Password Reuse

The topic of password reuse rarely gets discussed outside of the security community. That’s unfortunate as password resue is something every attacker looks for. Once an attacker has determined a user’s password on one site, they will typically attempt that password on every login page they can find to gain maximum access with the least amount of effort. There is only one thing worse than an easily guessable password: using the same password across multiple sites.

The solution to this problem is simple but impossible to apply. It’s only possible to assist by educating users and introducing tools that make password maintenance easier. Password managers and password cards are two great examples of these tools.

Password Manager

A password manager can be anything that stores your passwords. Decades ago, people used notebooks as password managers. Today, the latest software has improved password managers, making them more secure and user-friendly, with additional security features to protect users against bad practices.

Several vendors and options exist to help organizations and individuals protect their credentials from theft. LastPass, 1Password, Dashlane, Bitwarden, and many others use different methodologies and subscription levels to ultimately accomplish the same goal: store and audit passwords. Even though they all meet a minimum security standard, many people are still uncomfortable using them. If your users are not comfortable using an application to manage their passwords, and you do not want them to use a notebook, the password card is a great solution.

Password Card

A password card is a small table or matrix filled with random characters. The idea is that you can use a starting point, direction, and number of characters in a sequence of the table to generate secure passwords that can be hidden in plain sight.

MFA

These tips will help you maintain a stronger password, but the best way to avoid password attacks on your account is to rely on more than just your password. This is where Multi-Factor Authentication (MFA) comes into play. An MFA code is typically a six to eight digit one-time password that is sent to users through text message, email, or an MFA app in response to a correct username and password combination being entered in a login form. When you have both a password and Multi Factor Authentication enabled, an attacker will not be able to access an account even if they know the user’s password, because the second part of authentication (the MFA code) is known only by the user and is only valid for a short period of time.

As offensive security professionals, nothing thwarts a successful password attack faster than the correct implementation of MFA architecture. If every password in an organization is leaked, but every password is backed by MFA, your organization (for the most part) is still secure. Better yet, an unprompted MFA code or alert on the user’s phone can indicate that their password may have been compromised and should be changed immediately.

A strong password is the first line of defense against everything from cyber and ransomware attacks to identity theft. Contact our professional to identify if your business has strong password security or if you are at risk of an attack with a Domain Password Audit from our experts.

Domain Password Audit

Take a close look at how your organization’s passwords stack up with a quick, but thorough, analysis of your domain. A domain password audit will let your administrators know if your users are generating long, complex, and unique passwords without you ever knowing the passwords themselves. Working through this process with our team will be fast, easy, and affordable. With a password audit, you can ensure your domain is protected against the most common and simple vulnerabilities that hackers constantly attempt to exploit. Speak with an Open Security representative to plan your domain password audit and feel secure knowing your secrets are safe.