Are Your Passwords as Secure as They Should Be?

In their January 2019 issue, Wired magazine reported the aggregation and publication of over 2 billion previously hacked unique usernames and passwords. These credentials are being made available to various hacker forums, potentially exposing the private data of a significant fraction of the world’s population. Analysts have determined that most of the stolen credentials represent data that is years old, and so may have already been remediated. However, the leak is still significant for the quantity of data, if not its currency.

Unfortunately, data hacking is not unusual, and this breach illustrates how pervasive and indiscriminate these attacks are. We all know how important the Internet is to our organizations, but this valuable resource does not come without risk. And so, as a service to our readers, we will be publishing a series of blog posts over the next few months in which we discuss high priority security risks and the options available for minimizing and mitigating those risks to the greatest extent possible.  This month, we discuss password security.

Password Complexity

Passwords are your first line of defense against potential hackers. As such, you want to ensure that your passwords are as secure as possible. While data breaches are beyond any individual’s control, you want to be sure your passwords can withstand brute force attacks that occur regularly.

Protecting against these breaches depends on your password complexity. Ideally, each of your passwords should have the following characteristics:

  • passwords should be lengthy (ideally at least 16 characters long)
  • passwords should contain a combination of numbers, upper and lowercase letters, and special characters
  • passwords should not be repeated
  • passwords should not include dictionary words, usernames, pronouns, or any other predefined number of letter sequences

Most applications today enforce these password creation criteria, to a greater or lesser degree, helping you create secure passwords for those applications. PG Calc’s GiftWrap and PGM Anywhere applications, for example, enforce all of the rules noted above.

It is also recommended that you configure your browser not to cache/store passwords. While this feature simplifies the login process, it also makes it easy for someone else to use your computer or device to access your accounts without needing to know your password.

Password Managers

As noted, you should not repeat passwords. However, many of us have as many as 100 passwords for the various applications and websites to which we have access. How can you manage all of these passwords? While spreadsheets are a possible solution, password managers are a more effective alternative. There are a variety of password managers available, some of which are free, including Keeper, LastPass, Dashlane, and 1Password. These passwords managers provide you with a central source, whether on the Web or on your smartphone, for password management. These apps allow you to organize and store your passwords, create complex passwords, and in some cases, offer a monitoring service that will keep you informed if any of your passwords have been compromised.  Additionally, these apps often have browser plugin-ins, to be used in conjunction with the password manager app.

Also as noted, among the services provided by password managers is password creation. Typically, these created passwords are very complex. Here is an example of a password manager created password – ocmiq$d8TTunbqga. Clearly, this password defies memory and would be highly prone to mistake upon being entered. To address this issue, may applications provide a mechanism that allows you to display your password in clear text while it is being entered. For example, MS Windows 10 displays an eye symbol in the password entry box, which when clicked and held, will display the password in clear text while being entered.

Two-Factor Authentication

Finally, security experts recommend a variety of mechanisms to enhance overall access security. One of these is 2-Factor Authentication, or 2FA, which is a form of multi-factor authentication that requires a two-step authentication process. This authentication method requires something you know and something you have or are. And so, with 2FA, you provide your username and password, as well as something that you, and only you, have. Included in the latter category are items such as an ATM card, smartphone, or fob. Also included are biometrics, such as a fingerprint, your face, or your voice. Note that 2-Factor Authentication is an option available with PG Calc’s GiftWrap application.

Next month, we’ll discuss the importance of keeping your desktop and server operating systems up to date, and something called system hardening.