The Password Game

With all the focus on phishing and ransomware (which yes, you need to be protecting your organization from), don't lose sight of the importance of good password management.  You hear security folks talking about strong passwords, or complex passwords, but what does it mean?  and better yet, why is it important?

Answer to the question: "What is a Strong password?"
Strong passwords are by nature harder to compromise by a hacker due to having all of the following characteristics:

• They are complex passwords (made up of alpha, lower case, upper case, numeric, and special characters such as @#$%&?!).
• They are not dictionary words or proper nouns.
• They are long in length (8 is usually recommended, but 10 or more is better)
• They are changed with frequency (45 days is recommended, but 30 days is better)
• They are not recycled (also known as password history, usually recommended that the setting be the last 12 passwords, but a good practice is to never reuse a previous password.)

So to answer the question "Why is it important?", let's go through each of the above points to demonstrate this:

1. Complex Passwords: The reason you don't want to just use alpha and numeric characters is due to the advances in password cracking tools.  Should your password file on your computer or a single password going across the web be captured by a hacker, they will perform what is called a Brute Force attack on the password hash (encoded / encrypted password).  The tools in use will take one character at a time and try to guess what the character is.  If you just use lower case alphabetical characters, then he tool just has to try 26 times on each of your password's characters to figure it out (password would be cracked in milliseconds).  Add different cases, numbers, and special characters, as well as having a long password increases the amount of time it takes a tool to decipher your password.  This is important when we discuss change frequency.
2. Dictionary Words / Proper Nouns -  In the early 2000's someone came up with a tool called Rainbow Crack and created a number of data sets (lists) of dictionary words, first names of people and names of places as well as their corresponding password hash using various encryption ciphers.  In essence, Rainbow crack predetermined what a dictionary word looks like encrypted, and if a password file or hash was captured, this tool using the Rainbow tables turns cracking the password into a database lookup which would instantly give you the full password.  So don't use dictionary words or names.  In fact it is better to not use pass-"words", but a phrase instead.  An example would be something that means something to you only and easy to remember.  Let's say your daughter's name is Sara, she was born in 2008, and you drive a Chevy Cruz.  Your passphrase could be $ar@08CrUzing.
3. Password Length - As mentioned in #1 above, the longer the complex password, the more time it will take to crack if the hash is compromised.  So think like this is a game you are playing, the more complex and longer the password, the more you are increasing your odds of protecting it and decreasing the hackers odds of cracking it before you change it.  Which leads us to the next point,,,,
4. Password Change Frequency - In one of my posts from last year, I applied a Benjamin Franklin quote to changing passwords.  "“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”  So the whole point of coming up with a complex password, that is long, and doesn't have any dictionary words, is to increase the time it takes to crack a password to beyond the point where you change your password.  So if you never change your password, eventually a hacker can crack it.  Therefore, you should change your passwords every 30-45 days.  In theory, by the time a hacker gets your password hash and cracks it, you would have already changed it and the cracked password is now useless.
5. Password History - For the same reason in #4 above, don't reuse an old password, at least not for several change cycles.  The reason being, if you change your password every 30 days, and it takes a hacker 60 days to crack your password, and you reuse the original password, then you defeated the purpose of changing it.

So as demonstrated in the above 5 points, all of these characteristics work together not to prevent a hacker from getting your password, but to prevent a hacker from getting a password that works.  It is a game you are playing, and your goal is to run the clock down on the hacker while you are ahead.

Be Secure!

The Center of Your Online Life is Not Social Media

While I might have an entire generation of Millennials that disagrees with this statement.  E-mail is the hub in which all other online activities revolve around.  To prove this point, take a look at the last 30 e-mails you have in your Inbox (disregarding any spam).  You probably have an e-mail or two from your financial institutions (banks, loan company, insurance, and brokerage), e-mails from online eCommerce sites that you frequent, e-mails from all of your social media sites, your mobile phone provider, and possibly your utilities as well.  Also, if you think about it, every website that you are registered on does password resets via e-mail.   While some may also have SMS text as an option, or as an additional factor, the majority still just use your e-mail to reset your password.  And that is what makes e-mail a huge cyber risk area.  Should your e-mail be compromised by a hacker, while yes,  they can read your e-mail or send e-mail on your behalf, the worst part is that they can quickly inventory every website and bank that you do business with.  This combined with the ability to reset your online passwords through your e-mail makes for a dangerous combination.  And once they have access to your e-mail, they can intercept and delete any alert e-mails you get from your banking and eCommerce websites of transactions, address changes (for shipping credit/debit cards or merchandise paid for with your account), or other suspicious activity.  

Also, the common mistake people make is that they use the same password for their e-mail that they use for their other online accounts.  So before a hacker even tries a password reset, which may be noticeable by you, and may send an SMS text alert to your phone, they will first try your e-mail password on your other websites as a one-time attempt.  This way they will not trip the “3 strikes and you’re out” password lockout rules, and will most likely get some hits, preferably on a banking site or eCommerce site that you’ve stored other information on such as your date of birth, social security number, or your masked credit/debit card that shows the last 4 digits.  Although it is PCI compliant to mask all but the last 4 digits of your credit/debit card, it is also another data point that many organizations use to identify you if you call in to their contact center.

To sum it up, your e-mail is used on all your other web/mobile sites.  It is used for identification, for password resets, for communication with you, and contains a history of messages from all websites you have interactions on.  You need to protect your e-mail account.

So how do you do this?  Follow my tips below:

• Don’t use the same password for your e-mail that you use on other websites.  (If your account is compromised on another website, and your e-mail uses the same password, then the Hacker has control of your e-mail)
• Don’t recycle old passwords.
• Change your passwords every 30 – 45 days. (See my blog post on changing passwords frequently)
• Make your password a complex password that can’t be guessed.  Use lower and upper case, numbers, and special characters.  The longer the better (10-14 characters).  Never use dictionary words of names of people.
• Be alert of suspicious activity in your Inbox, such as e-mails that are in a “read” status that you did not read yet, or e-mails that have been moved to Deleted Items, that you did not delete.  Also check your Sent items to see if there is anything in there that you did not draft.
• Be cautious when using public computers (libraries, hotel business center, etc.).  Make sure you totally log out of your e-mail, and it is a good idea to change your password when you get back to home/work and can access a computer that you trust.    

Be secure!
   

Benjamin Franklin’s advice on changing your passwords

If Benjamin Franklin was alive today, what would his advice be on changing your passwords?

I would imagine wise old Ben would say something similar to his quote on politicians:

“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”

Like most people, you have heard that you need to have a complex password, but what you may not be told very often is that you need to change them frequently, preferably every 30 days.  The reasons for this are many.  Most importantly, should your password be captured by a cyber-criminal, more times than not it is captured through the use of an automated tool such as a sniffer or your password hash (your password encrypted) is obtained off of a website that you use that is compromised.  In both cases, there is some time between when the password is in the hands of the hacker, and when it is actually used.  Even if your encrypted password is captured, it can be cracked.  A complex password can be cracked in less than 45 days, hence why you should change it at a minimum every 45 days.  The best security, is security that is constantly changing.  In theory, if your password is captured, and you change it frequently, then it has a very short shelf life and will be of little use to a hacker. 

As always, frequent change is just one piece of the security puzzle.  To extend your password life, use a password that has a minimum length of 10 characters (14+ is preferable), uses upper and lower case alpha, numerical, and special characters (!@#$%&?).  Most importantly, stay away from dictionary words and people’s names.   I recommend using a combination of things in your life to make the password easy to remember by you, but hard to guess and difficult to be cracked be a hacker.  For example, let’s say you drive a BMW 330i (or it’s your dream car), your daughter’s name is Karen, and your wedding anniversary is on June 9^th.  A good password would be K@r3n330!9, whereby you replace vowels with numbers and special characters.  Memorable for only you and harder to crack than a non-complex password.  

A good password checker that runs on your PC (and it's free) is at https://sensepost.com/blogstatic/2010/04/password-strength-checker.html . 

Keep in mind, even my example only rates as “Reasonable”.

Be secure!