Data breaches in 2018 cast a shadow on some of the biggest names in the world: Google+, Facebook, Marriott, Quora, and even MyFitnessPal, Under Armour’s fitness app. The cost of a data breach is rising. An average data breach costs $3.86 million world-wide, $7.91 million in the US, and takes an average time of 196 days to detect.
The cause of 81% of data breaches? Compromised passwords.
As a CISO, CIO, or any other InfoSec professional, you are aware of this crisis. Are your colleagues, bosses, employees, and family members? Perhaps this post should be shared with them, too. Millions of personal records including names, birthdays, addresses, emails, usernames, and yes, passwords, have been exposed in thousands of these breaches.
It is nice to think you’re not important enough for any malicious activity to happen to your accounts, but we are here to tell you that is a daydream. Wake up. Attacks are opportunistic, and low-hanging fruit like publicly known passwords are the lowest of them all. Attackers might use your password to login to company portals or guess other account passwords without your knowledge.
It’s worth noting that the term “password” here usually means a password “hash,” which requires cracking to convert into plaintext. However, most of this effort is applied by external sources and plain text passwords are readily available. Don’t be fooled by victim e-mails that state your data was stolen, but ensure your password was “securely hashed.” Check out Troy Hunt’s fantastic haveibeenpwned site to see if your information was part of any known breaches.
Take a look at some recent numbers regarding password habits. Are you included?
- 73% of online accounts are guarded by duplicate passwords.
- 50% of users say they use the same passwords for work and personal accounts.
- 86% of users were using passwords already leaked in other data breaches.
- The average person types in 8 passwords a day.
- Only 28% of people are using 2-factor authentication.
Considering the statistics of US password hygiene, passwords are not as strong as people tend to believe and we are seeing the effects come to fruition. These practices or lack of proper practices are leaving individuals and organizations vulnerable to major attacks.
So what do we do? First, forget what you’ve been told about “secure passwords.”
1. Use a password manager.
Humans are not very good at remembering long, unique passwords for every account they have. If you, too, are human, we strongly encourage using a password manager to securely store passwords.
For personal use, we recommend using password managers that sync passwords across devices, such as LastPass and 1Password. They are user-friendly and easily accessible. Corporate password managers, such as CyberArk, should be used for anything business related. They are usually self-hosted and should be used in lieu of browsers, which could allow access to business accounts on mobile devices or home PCs.
There are options for every circumstance and account. The key is to pick one and use it religiously.
2. Prefer length over complexity.
A 21-character password that is all lower case is much more secure than a 12-character password with lots of complexity. Unfortunately, password requirements on many websites contradict this. If you intend to generate a password yourself, we recommend having a simple complexity technique that allows you to meet requirements, extend length, and keep it memorable.
The “sentence strategy” is one such method. It is simple and effective. Assuming you are creating passwords yourself instead of a random generator, use long phrases that are easy to remember and turn them into secure passwords. You can also check out useapassphrase.com as another great resource.
3. Keep passwords for longer so they are easy to remember.
Simple as that. Frequent changing of passwords can counteract the efforts of lengthening. If you put in the effort to make passwords long and complex, you shouldn’t need to change them for quite some time. Choose strong passwords upfront and don’t worry about them until forced to. If you have the ability in your organization, increase the interval for password changes to 120 or 180 days for corporate accounts.
4. Never reuse a password.
The domino effect is real and brutal. It occurs when hackers get into multiple accounts by cracking just one password due to the use of the same password for multiple accounts. Don’t start on the slippery slope due to laziness. Ideally, all passwords should be random and unique to each individual site with a convenient storage method that fits your requirements.
If you can’t find the mental capacity to remember unique passwords for every account you have, use a password manager with randomly generated passwords. Also, if you aren’t already, find a password manager and start using it today. We mean it. It will save your bacon.
5. Use 2-Factor Authentication.
Where possible, implement a 2FA system on all accounts. This adds another layer of security against the lucky or dedicated attacker. Focus on e-mail, banking, and corporate accounts first. We recommend using authenticator apps or push-notifications over SMS 2FA, which will eventually be phased out.
We understand that password security is tough and lots of people are misinformed about how to achieve password security in their organizations. We’ve worked with countless organizations with policies that they thought were secure because they met compliance requirements, but in reality, resulted in 90% recovery rates during testing. Silent Break Security built Defensix Password Audit tool to offer secure insight into actual password statistics that every organization needs.
For example, September2019 meets not only the 12-character password policy minimum, but the complexity requirements, too. Yet, we know it’s a terrible password. Defensix is designed to help with issues like this and more. Check it out here.
Let’s work together to make 2019 a year of secure passwords. A few easy changes to your password habits can help you avoid catastrophe. It only takes a few minutes to implement our suggestions and could save you and your organization the misery, headache, and millions of dollars of a data breach.
Questions? Feel free to reach out to us here.