The Password Game

With all the focus on phishing and ransomware (which yes, you need to be protecting your organization from), don't lose sight of the importance of good password management.  You hear security folks talking about strong passwords, or complex passwords, but what does it mean?  and better yet, why is it important?

Answer to the question: "What is a Strong password?"
Strong passwords are by nature harder to compromise by a hacker due to having all of the following characteristics:

• They are complex passwords (made up of alpha, lower case, upper case, numeric, and special characters such as @#$%&?!).
• They are not dictionary words or proper nouns.
• They are long in length (8 is usually recommended, but 10 or more is better)
• They are changed with frequency (45 days is recommended, but 30 days is better)
• They are not recycled (also known as password history, usually recommended that the setting be the last 12 passwords, but a good practice is to never reuse a previous password.)

So to answer the question "Why is it important?", let's go through each of the above points to demonstrate this:

1. Complex Passwords: The reason you don't want to just use alpha and numeric characters is due to the advances in password cracking tools.  Should your password file on your computer or a single password going across the web be captured by a hacker, they will perform what is called a Brute Force attack on the password hash (encoded / encrypted password).  The tools in use will take one character at a time and try to guess what the character is.  If you just use lower case alphabetical characters, then he tool just has to try 26 times on each of your password's characters to figure it out (password would be cracked in milliseconds).  Add different cases, numbers, and special characters, as well as having a long password increases the amount of time it takes a tool to decipher your password.  This is important when we discuss change frequency.
2. Dictionary Words / Proper Nouns -  In the early 2000's someone came up with a tool called Rainbow Crack and created a number of data sets (lists) of dictionary words, first names of people and names of places as well as their corresponding password hash using various encryption ciphers.  In essence, Rainbow crack predetermined what a dictionary word looks like encrypted, and if a password file or hash was captured, this tool using the Rainbow tables turns cracking the password into a database lookup which would instantly give you the full password.  So don't use dictionary words or names.  In fact it is better to not use pass-"words", but a phrase instead.  An example would be something that means something to you only and easy to remember.  Let's say your daughter's name is Sara, she was born in 2008, and you drive a Chevy Cruz.  Your passphrase could be $ar@08CrUzing.
3. Password Length - As mentioned in #1 above, the longer the complex password, the more time it will take to crack if the hash is compromised.  So think like this is a game you are playing, the more complex and longer the password, the more you are increasing your odds of protecting it and decreasing the hackers odds of cracking it before you change it.  Which leads us to the next point,,,,
4. Password Change Frequency - In one of my posts from last year, I applied a Benjamin Franklin quote to changing passwords.  "“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”  So the whole point of coming up with a complex password, that is long, and doesn't have any dictionary words, is to increase the time it takes to crack a password to beyond the point where you change your password.  So if you never change your password, eventually a hacker can crack it.  Therefore, you should change your passwords every 30-45 days.  In theory, by the time a hacker gets your password hash and cracks it, you would have already changed it and the cracked password is now useless.
5. Password History - For the same reason in #4 above, don't reuse an old password, at least not for several change cycles.  The reason being, if you change your password every 30 days, and it takes a hacker 60 days to crack your password, and you reuse the original password, then you defeated the purpose of changing it.

So as demonstrated in the above 5 points, all of these characteristics work together not to prevent a hacker from getting your password, but to prevent a hacker from getting a password that works.  It is a game you are playing, and your goal is to run the clock down on the hacker while you are ahead.

Be Secure!

No Silver Bullet for the Cyber-wolves

The majority of individuals and businesses are sold a bag of goods regarding cyber security.  They hear marketing pitches for security software, appliances, and managed services, and are told that "this product" or "that service" will secure your business or secure your home computer, and at the end of the day, it is giving them a false sense of security.

While these products and services can help reduce your risk of a cyber incident, they are only a small piece of your overall security program.  There is no silver bullet that can keep hackers at bay.  To do this, you need to employ a Defense in Depth security program.  While this sounds like a daunting and expensive task, it can actually be done very inexpensively and with a few simple steps.

Risk Assessment - "If You Can't Measure It, You Can't Improve It." - Peter Drucker
The first step is to have a security risk assessment performed.  This informs you where your information security risks are, what controls you have in place, and what control gaps/weaknesses you need to shore up.

Polices, Plans & Procedures - "Those that fail to plan, plan to fail."  - Alan Lakein

• Information Security Policy - This should cover, at a minimum, access control/user management, anti-virus, patching, password management, data classification and handling, use of encryption, remote access, change/configuration management, software acquisition/licensing, logging, and use policy.
• Incident Response Plan - You need to have this before you have an incident.  Don't worry about trying to identify every single type of incident to deal with, just get it down to high level impact, ex. network outage, server outage, application outage, security breach, malware infection, etc.  Have written procedures on how our staff should respond to each of these types of incidents. 
• Business Continuity Plan - If there is an electrical outage, fire, or natural disaster you need to have a plan of action on how and where you will resume your business.  Also have all your employees, contractors, and vendor contact information in the plan.  Keep the plan in multiple locations, including a hard copy at your home.  If there is no power, your cloud or PC may not not be accessible.  Do not get hung up on the type of disaster, focus on the fact that your office in not accessible, and the plan needs to answer the question "What do I do now to stay in business?".  Do a paper walk-through with your management team at least twice a year and update contact info.

Anti-Malware (Anti-Virus, End Point Control, Patching)
Having anti-virus and end point protection is not optional.  Make sure they are actively running, updated daily, scans are daily (off hours), and that only an Admin can disable or change the settings.  Also, no user on your business network should have Local Admin, and the IT guys should have an Admin account for doing things that require Admin access, and a non-Admin (normal user) account to surf the web and check e-mail.  Malware is most dangerous if it can execute using Admin privileges, and whoever clicks on it,,,executes it.   Patching needs to be done timely on operating systems, database management systems (MS SQL, MySQL, Oracle), and application software (Apache, Adobe, Office, etc.)

PC & Server Hardened Standard Image
Your PCs and servers require certain services to operate.  Over time, as you add software, more and more services are activated, and usually set to run at startup (when most do not need to).  Besides slowing down the machine and providing a poor user experience (takes forever to start up and to shutdown), having unnecessary services running is increasing the attack surface for a hacker or malware.  You should have a standard image for your organizations PCs and servers in which you deactivate all non-essential services (daemons if in the Unix/Linux world).  Also, remove all no-essential user accounts.  Most operating systems and applications come with Test or Guest accounts.  Either remove them or disable them.  If you have to keep any default accounts, then change the passwords and make them complex (10-14 characters, alpha-numeric, caps, and special symbols).  this is called hardening.  Once you have a hardened image, copy it, and that is what every machine in your organization gets as a baseline.  And as you are not letting your users have Local Admin, they will not be able to install software which will ensure that only approved, malware free, and licensed software is running on your network.

Network Security
You should have multiple layers of firewalls/routers/switches.  Keep these patched timely too, and all default accounts and passwords need to be changed.  You should have some type of Intrusion Detection or reporting system in place to sift through the firewall logs and report the critical alerts so you know if you are under attack, and can follow your Incident Response Plan as noted above to prevent or stop an attack.

Security Awareness Training
While listed last in this post, it is by far the most important low cost security measure you can do.  Cyber Criminals have figured out that it requires a lot of skill and hard work to hack your network.  It is much easier to trick your employees into giving them a userid and password, your customer/employee data, or wiring money out of you business bank account.  Your awareness program is not a once a year video or PowerPoint slide deck.  It needs to be ongoing and use a number of mechanisms to stay at the top of mind of your employees.  Monthly security tip e-mails, security posters in the break room, mock phishing exercises, having a security expert come in quarterly for live or web based training, having your IT or security team do monthly brown-bag lunch presentations will have a big impact on your employees' security awareness.

To sum it up, there is no silver bullet, and information security is not a menu to choose from.  You have to do all of these things, and more to have a defense in depth security architecture.    You need to put up enough barriers to frustrate them which will encourage them to leave your organization alone and go hack someone else...(hopefully your competitors who don't take my advice).

Benjamin Franklin’s advice on changing your passwords

If Benjamin Franklin was alive today, what would his advice be on changing your passwords?

I would imagine wise old Ben would say something similar to his quote on politicians:

“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”

Like most people, you have heard that you need to have a complex password, but what you may not be told very often is that you need to change them frequently, preferably every 30 days.  The reasons for this are many.  Most importantly, should your password be captured by a cyber-criminal, more times than not it is captured through the use of an automated tool such as a sniffer or your password hash (your password encrypted) is obtained off of a website that you use that is compromised.  In both cases, there is some time between when the password is in the hands of the hacker, and when it is actually used.  Even if your encrypted password is captured, it can be cracked.  A complex password can be cracked in less than 45 days, hence why you should change it at a minimum every 45 days.  The best security, is security that is constantly changing.  In theory, if your password is captured, and you change it frequently, then it has a very short shelf life and will be of little use to a hacker. 

As always, frequent change is just one piece of the security puzzle.  To extend your password life, use a password that has a minimum length of 10 characters (14+ is preferable), uses upper and lower case alpha, numerical, and special characters (!@#$%&?).  Most importantly, stay away from dictionary words and people’s names.   I recommend using a combination of things in your life to make the password easy to remember by you, but hard to guess and difficult to be cracked be a hacker.  For example, let’s say you drive a BMW 330i (or it’s your dream car), your daughter’s name is Karen, and your wedding anniversary is on June 9^th.  A good password would be K@r3n330!9, whereby you replace vowels with numbers and special characters.  Memorable for only you and harder to crack than a non-complex password.  

A good password checker that runs on your PC (and it's free) is at https://sensepost.com/blogstatic/2010/04/password-strength-checker.html . 

Keep in mind, even my example only rates as “Reasonable”.

Be secure!