The 5 Golden Rules for a secure Handling of Passwords
Over 80 percent of data breaches are caused by insecure passwords.
Recently, I tried to log in to a website that I haven't used in a long time. Unfortunately, I didn't remember the password, so I used the “forgot password” feature. In the email I received as a result, there was no link to reset the password, just my old password. In plain English: Never send a password in an unencrypted email. Moreover, the site should not have my password in plain text at all, but only in hashed form.
This incident motivated me to write here about some principles for proper password management.
Verizon's “Data Breach Investigations Report 2020” shows that stolen or guessing passwords were used in over 80 percent of breaches caused by hacking.
1. Use strong Passwords |
---|
When it comes to passwords, this is probably the most well-known principle. It is critical to use long passwords. A complex but short password does not provide adequate security. Passwords must be at least 12 characters long, according to security standards such as the OWASP ASVS. A combination of uppercase letters, lowercase letters, numbers, and symbols can be used to provide sufficient complexity. Furthermore, passwords that are frequently used (e.g., password1!) can be guessed using a dictionary attack (an attack in which a “dictionary” of possible passwords is used). It is preferable to use a passcode, such as MyAutoHas120PS (including the dot). In addition, a separate password should be used for each application. Since one can lose the overview fast, it is recommended to use a password manager. |
2. Do not save passwords as plain Text |
---|
In order to be able to check passwords for correctness during every login process, they must be stored somewhere. It is important to note that passwords must never be stored in plain text. Passwords must be made unrecognizable by a one-way encryption function (hash). The advantage of a hash function is that it cannot be undone. It is therefore not an encryption that can be decrypted again; it only works in one direction. To provide additional security, the hashes are "salted," i.e., given an additional, random value. This can prevent brute-force attacks. |
3. Multifactor Authentication |
---|
Multifactor authentication (MFA, also 2-factor authentication, 2FA) means that at least two different factors are required to log in. There are knowledge factors (e.g., password, PIN, etc.), possession factors (e.g., smartphone, token, etc.), and biometric factors (e.g., fingerprint, facial recognition, etc.). MFA increases security tremendously. It is almost impossible for attackers to break MFA. Even if credentials are stolen or leaked, they cannot be used because the second factor still provides protection. |
4. Consider User Experience |
---|
Security and usability are often seen as opposites. However, this need not and should not be the case. Various security measures that were considered necessary in the past led to even greater vulnerabilities due to a lack of usability. A good example of this is the frequent changing of passwords. It was once assumed that doing so would render a stolen password ineffective for an extended period of time. However, frequent changing results in passwords that follow certain patterns (for example, the month number is frequently appended to the end of the password). If an attacker has one password, it is easy to guess the next one. Moreover, frequent password changes lead users to write down their passwords. Nowadays, the recommendation is not to change the password too often. Once a year is sufficient. In addition, a password must be changed whenever there is suspicion that it has been stolen. Services that search data leaks for email addresses (such as haveibeenpwned.com) can be useful for this purpose. |
5. Notifications |
---|
The user should be notified of any “conspicuous” activity. For example, if a password is changed or reset, the user should be informed accordingly. If more login failures are registered, the user should be informed. If a login from another country has occurred, the user should be informed. This allows the user to intervene in the event of an anomaly, such as changing his password. |
Other measures that improve user experience and security include:
In conclusion:
If you follow these basic rules, you are already well on your way to better password security.
For further or more precise guidelines, there are standards such as the OWASP ASVS.
We are happy to help you implement and test them!
Do you have questions about BearingPoint Advanced Threat Inspection?
If you would like to learn more about how to identify your IT vulnerabilities and strengthen your protection against attackers, please contact our experienced security experts. We are always available to answer your questions.