Have you ever stopped to think about “why” IT departments continuously preach about password security?
Leaked passwords and usernames are the most common commodity you’ll find on Dark Web hacker markets. Hackers obtain passwords through shady emails, installing viruses, or social engineering. The less complex a password, the easier it is for a hacker to obtain access to victim accounts.
We’re going to share how to design your passwords so they’re secure – that said, passwords alone are not sufficient as a layer of security. The first step to preventing passwords from resulting in a successful hack at your organization is to add layers of security that ensure passwords aren’t you last line of defense. The secret sauce is to have great passwords, and tools that prevent those passwords from being leaked easily.
1. Credential Stuffing
This involves hackers testing passwords and usernames against multiple accounts to see if there is a match.
How to Protect Yourself: To protect yourself, every login credential should be unique. This means the password you use for your email should be different than what you use for Facebook, and so on.
This is psychological manipulation to trick users (usually via email) to supplying their credentials via a “legitimate request”.
How to Protect Yourself: To protect yourself, you can use 2-FA (multi-factor authentication). This means that even if a hacker were to obtain your login information, they would also need the second form of identification in order to finish logging in.
3. Password Spraying
Batman is on the list of Top 100 most commonly used passwords. Pass Spraying is a technique that involves using the most popular, widely used passwords and testing on a wide-scale. Unlike credential stuffing, the hacker already has the usernames and is focused on a single goal – figuring out your password.
How to Protect Yourself: Be as unique as possible. Lots of characters and something that only you will know.
Some password systems will allow you to use a [space] in your password. This will make your password MUCH harder to guess, giving you an added layer of security.
This is the act of tracking your movement – aka your key logs. As you type, hackers can see this – thus, they follow your keystrokes to decode your password.
Hackers can typically deploy this method by infecting commercial spyware tools (that are used to monitor employees!).
How to Protect Yourself: Make sure you have your endpoint is protected or that you’ve installed security software installed that can detect malicious activity.
5. Bruteforce Attacks
This might seem like it’s out of a sci-fi film, but Bruteforce is a method where hackers are using password cracking software to run through millions of combinations in seconds.
How to Protect Yourself: Your system administrator should be familiar with a term called – salt. It’s a term associated with encrypted passwords. If your system has been set up correctly, it’s virtually impossible to get your passwords. However, if your salts are not stored properly, then you could be at risk. It’s best to call your administrator to double-check.
6. Local Discovery
If you’re writing down your passwords on a sticky note and placing them on the bottom of your computer, then you’re at risk. Many companies will keep excel spreadsheets with a list of company passwords. Unfortunately, a hacker just needs access to that file to compromise the operations of the company. Storing your passwords anywhere outside of your mind defeats the purpose and is likely to cause you future pain.
This all sounds complicated. I’m tired of memorizing passwords – but I don’t want to get hacked.
Luckily, all of the ways a password can expose your accounts can be solved by adding layers of complexity through software. There are three types of software your company can use:
1. Password Management Software
Using a password manager is a great way to create strong, randomized passwords that you don’t need to memorize. A password manager is a tool that sits on your computer, perhaps with an extension in your browser. When you create a new account or need to update a password, you use it to generate a complicated password (example that I just created using LastPass: A&eAEM2CkSYGtb^fQ8lFNhcH$6&v7t6@*u) and the tool saves it for you.
You only have to remember your master password when using a password manager, and it’s recommended you ensure it’s complicated and something you can remember. An easy way to create a complicated master password is by using an acronym for a phrase you’ll remember. An example phrase might be, “My dog Peter’s favorite toy has 3 legs missing!” which would be the password “MdP’sfth3l!”
Try not to use this password anywhere but your password manager.
When you go to log in, it’ll autofill the complex password. For large organizations we recommended a paid service like LastPass so that an administrator can reset your master password if you forget it or lock yourself out. Google provides free password management for individuals.
2. Single Sign-On (SSO)
Single sign on is a tool that a company can use to integrate all of their web applications so employees can sign on from a single website. You add all of the accounts your company uses to the SSO tool, and each employee creates one password to sign into the SSO tool. When they log in, they’re presented with all of their applications which they then click to access.
Single sign on is especially great for companies who have employees that use different applications. You don’t want your software developers to have access to accounting software, so when setting the SSO up the administrator of the account would create a profile for software developers solely with applications that they need to access. Limiting unnecessary access is an excellent cybersecurity practice on its own.
Examples of SSO providers include Okta, Cisco, and OneLogin among many others.
3. Dual Factor Authentication (aka Multi-factor, DFA, MFA)
Dual factor authentication is recommended to use with just about anything that requires signing in with a password. Even the two tools above benefit from integrating with DFA.
DFA works by adding an extra step to signing in after using a password to sign into an application. Say you enter in your password to log into your email account – the DFA tool will then request a code to be entered that you can only see from a verified personal device (personal cell phone typically).
Many tools will give you an authenticator that you install on your personal device which keeps track of all of your accounts that you use DFA on. Of course, a potential flaw in using DFA is if you lose your phone, so make sure you have a means to wipe your phone if you lose it.