Myhrtoolkit CTO Kit Barker explains why businesses need to ensure all staff understand password security best practices and how a password policy can help you achieve this.
Back in 2004, Bill Gates stated that the age of the password was coming to an end. Despite huge progress in usable biometric authentication (think of the fingerprint scanner on most modern phones), passwords remain the most common authentication method some 15 years later.
Love them or loathe them, passwords are with us for some time to come. With that being the case, we need to ensure that our passwords and our password management processes are as effective as possible.
But what is a “good” password? There’s a lot of confused and out of date information regarding exactly what constitutes a strong or good password. Given the speed at which the online security landscape changes, this confusion is completely understandable. Subsequently, much of the best practice we’ve been taught previously is now regarded as poor practice.
The role of a password policy and why your organisation needs one
It is essential to ensure that your users are regularly trained on cyber security issues and best practice. Poorly trained staff can be the weakest link in your defence, but well-trained and informed staff will be one of your strongest.
But even well-trained staff will struggle to keep abreast of all relevant security changes and that’s where your password policy comes in.
Creating a password policy
If your policy is simply a set of rules, it will not help users when these rules cannot be followed.
Instead, your password policy should clearly inform users of the best practice you expect them to adhere to. This document will be reviewed annually (at least) and will change as best practice changes. Every change is an opportunity to inform and train staff as to what has changed and perhaps more importantly, why.
Explaining the “why” is crucial. If your staff understand the reasoning behind the policy, they have a far greater chance of applying it correctly. The policy should cover how to create good passwords and how to protect and manage them.
Clearly, your policy cannot cover every eventuality and a well-trained user is able to make secure choices when encountering such situations.
For example, what happens when other services do not adhere to your policies? This will be a common occurrence. Your policy might state that all passwords should be a minimum of 16 characters long. That’s great. But many services have maximum password lengths with far fewer characters. What should users do then?
It’s good practice to acknowledge such complexities within the policy and welcome feedback on the issues that staff have encountered when following the policy; training also comes in handy for applying the password policy to real life situations.
What are the risks to passwords?
Let’s take a quick look at the threats to passwords themselves to understand how they are compromised. Understanding these risks will help us to better protect our passwords.
This is simple to mitigate. Don’t use anything that someone might guess! Examples would be a significant date, names of significant others or your favourite movie. You should not use these on their own or in combination.
Automated brute-force attacks
All software and services you use should have robust controls to detect and stop online brute-force attacks from taking place, but hacks and breaches are commonplace. If attackers manage to get hold of the password database, the most powerful software and hardware combinations can try around 800 million guesses each second!
If your password is a dictionary word, even with common replacements (e.g. swapping the letter e for the number 3), then it is trivial to guess in seconds.
This is where an attacker is in the same physical space as you and simply watches you type your password or watches you copy it from your password manager.
In private offices, this is reasonably easy to mitigate. Simply be aware of your environment and position your screen so that people aren’t standing over your shoulder.
Either way, the best mitigation here is to use a password manager, such as LastPass, Dashlane or even the ones built into your browser, although these don’t have the same management tools as a dedicated password manager.
A good password manager will allow you to copy the password directly to your clipboard without showing it on the screen. You can then paste this into your website or application login. As it’s never visible on the screen, shoulder surfers can’t see it.
Insecure password storage
A password manager is a must. Whether it’s the one in your browser or a dedicated password manager, you should not be storing passwords in a book, an Excel spreadsheet, or heaven forbid a sticky note on your monitor!
Data breaches and leaks
Hackers breach sites and services all the time. It’s a sad fact of life. And when they do, those username and hashed password combinations quickly find themselves shared publicly.
In this instance, you need to change your password as quickly as possible.
This is where a password manager can really help. For example, LastPass will tell you which services you use have been breached since you last changed your password. There’s also a great online service, have i been pwned, which allows you to receive alerts when your email address appears in any online data breach. In case you’re wondering, “pwned” is slang for “owned” meaning you’ve been hacked.
Related article: How SMEs can deal with a GDPR data breach
What makes a strong password?
So, after all that, what does make a good password? In short, your passwords should be:
- Unique: this means unique to you – never reuse passwords – but also unique in a more general sense.
- Long: Assuming your password is unique then the longer, the better.
- Complex: this means using combinations of uppercase and lowercase letters along with numbers, symbols, and punctuation.
That might seem like a tall order. Especially given the number of passwords we all have. How can we possibly create all these long and complex but unique passwords? The good news is, we don’t have to. A dedicated password manager will do it for you! And if your password manager doesn’t include this, Dashlane have an online tool that does it for you.
Making use of these tools will ensure that your passwords are as unique as possible.
Written by Kit Barker
Kit is myhrtoolkit's Chief Technology Officer and a company director for myhrtoolkit who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.