In this article we will look at best practice password security, where people are going wrong, the importance of having a strong policy that is embedded and upheld across your organisation, and the technical controls that you can use to put your policy to the test.
Why Is Password Security Important?
81% of cyber attacks worldwide are the result of insecure passwords being exploited. Passwords provide the first line of defence against unauthorised access to your computer and personal information. Password security is integral in protecting your organisation from malicious attacks, however your line of defence should not stop with password security really it should just start here.
2022 Recommended Best Practise:
Ironically, the most important thing to take note of, is not to note your passwords down!
We Recommend Your Password Policy Includes the Following:
- Minimum password length (12 characters) should be enforced.
- Maximum password length should not be too short because it will prevent users from creating passphrases. The typical maximum length is 128 characters.
Password Complexity – The password must meet at least three out of the following four complexity rules:
- At least one uppercase character (A-Z)
- At least one lowercase character (a-z)
- At least one digit (0-9)
- At least one special character
Do not permit passwords that are considered as simple passwords even if they meet the criteria for example: P@ssword1.
Current advice from the NCSC is that a strong password would comprise of three unrelated words and meeting the above definitions of a strong password. For further advice please follow the link below, relating to password generation best practice from the NCSC.
The NCSC guidance advocates a greater reliance on technical defences and organisational processes. However, the importance of strong passwords and strong password policies should not be forgotten, they are often your first line of defence against an attack.
What Common Issues Do We See with Organisations Passwords?
- Password reuse
Re-using the same passwords can open you up to credential stuffing attacks, these attacks take leaked credentials from one site and use them on other sites/services.
If you had multiple houses, you wouldn’t use the same lock and key for each different property, so why do we do it online?
- Similar passwords across different systems
Such as, Girrafe1, Girrafe2 etc.
Similar to password reuse, having similar passwords across different sites opens the door for your passwords to be figured out and can cause more harm than good.
- Common passwords
Such as, October2022, Password1, Welcome123.
It almost seems too simple to explain, easily guessable passwords such as ‘Password’ provide no security. Continuing with the home analogy, if a robber knew where you kept your spare key, they wouldn’t need to break in, this is the same for the hacker.
Mitigating The Risk
Eliminating easily guessable passwords and customise smart lockout settings for your environment can be the best way to ensure a strong password policy whilst also having the technical controls to support this.
- Global Banned Password List
Match passwords used against a list of words that no one should ever have in their passwords.
- Have a Custom Banned Password List
Choose words common to your organisation – founders, products, location etc – and add them to the list banned words.
- Smart Lock Out Settings
Lockout bad actors who are trying to guess your users’ passwords or use brute-force methods to get in.
- Multi Factor Authentication
An electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence as authentication.
- Password Manager
A password manager is a computer program that allows users to store, generate, and manage their passwords for local applications and online services.
Technical controls put your policies to the test, this is important to ensure your policies are working as they should be. As well as providing you with the opportunity to improve, adapt or amend any part of your policy that is not working.
Strong password policies do not always mean strong security. A recent customer of ours had what on the surface looked like an incredibly strong password policy, however when we carried out a password review putting the policy to the test, we were able to crack around 10% of the companies’ passwords. Identifying that the most common password was in fact ‘Password1’, highlighting that although their policy was strong the implementation and organisational wide acceptance of this policy was not there.
We were also able to identify that a lot of these passwords were from wordlists which could be downloaded from the internet, from sites such as weakpass.com. As part of our password review, we use the results from this site to build new wordlists which target common patterns, for example 2 passwords were Passwordneeds8 and Passwordneeds14 which helped us to make a new list that went from Passwordneeds1 all the way through to Passwordneeds10000.
By carrying out the password review test we were able to identify that the support team were setting up a relatively strong default password, however a number of accounts had variations of this, meaning we were quickly able to identify a clear pattern <colour> <animal> <number> <special character>, making it easy for our testers to build a new list targeting this pattern and crack more passwords.
Overall, this test reinforced our view that although strong policies are in place it does not always make for strong security highlighting the importance of technical controls to put these policies to the test.