5 golden rules of passwords

GATEWAY PASSWORD

Over 80 percent of data breaches are caused by insecure passwords.

Recently, I tried to log in to a website that I haven't used in a long time. Unfortunately, I didn't remember the password, so I used the “forgot password” feature. In the email I received as a result, there was no link to reset the password, just my old password. In plain English: Never send a password in an unencrypted email. Moreover, the site should not have my password in plain text at all, but only in hashed form.

This incident motivated me to write here about some principles for proper password management.

Verizon's “Data Breach Investigations Report 2020” shows that stolen or guessing passwords were used in over 80 percent of breaches caused by hacking.

These five Golden Rules should be followed for secure Password Management:

1. Use strong Passwords
When it comes to passwords, this is probably the most well-known principle. It is critical to use long passwords. A complex but short password does not provide adequate security. Passwords must be at least 12 characters long, according to security standards such as the OWASP ASVS. A combination of uppercase letters, lowercase letters, numbers, and symbols can be used to provide sufficient complexity. Furthermore, passwords that are frequently used (e.g., password1!) can be guessed using a dictionary attack (an attack in which a “dictionary” of possible passwords is used). It is preferable to use a passcode, such as MyAutoHas120PS (including the dot). In addition, a separate password should be used for each application. Since one can lose the overview fast, it is recommended to use a password manager.

1. Use strong Passwords

When it comes to passwords, this is probably the most well-known principle. It is critical to use long passwords. A complex but short password does not provide adequate security. Passwords must be at least 12 characters long, according to security standards such as the OWASP ASVS.

A combination of uppercase letters, lowercase letters, numbers, and symbols can be used to provide sufficient complexity. Furthermore, passwords that are frequently used (e.g., password1!) can be guessed using a dictionary attack (an attack in which a “dictionary” of possible passwords is used). It is preferable to use a passcode, such as MyAutoHas120PS (including the dot).

In addition, a separate password should be used for each application. Since one can lose the overview fast, it is recommended to use a password manager.

2. Do not save passwords as plain Text
In order to be able to check passwords for correctness during every login process, they must be stored somewhere. It is important to note that passwords must never be stored in plain text. Passwords must be made unrecognizable by a one-way encryption function (hash). The advantage of a hash function is that it cannot be undone. It is therefore not an encryption that can be decrypted again; it only works in one direction. To provide additional security, the hashes are "salted," i.e., given an additional, random value. This can prevent brute-force attacks.

2. Do not save passwords as plain Text

In order to be able to check passwords for correctness during every login process, they must be stored somewhere.

It is important to note that passwords must never be stored in plain text. Passwords must be made unrecognizable by a one-way encryption function (hash). The advantage of a hash function is that it cannot be undone. It is therefore not an encryption that can be decrypted again; it only works in one direction.

To provide additional security, the hashes are "salted," i.e., given an additional, random value. This can prevent brute-force attacks.

3. Multifactor Authentication
Multifactor authentication (MFA, also 2-factor authentication, 2FA) means that at least two different factors are required to log in. There are knowledge factors (e.g., password, PIN, etc.), possession factors (e.g., smartphone, token, etc.), and biometric factors (e.g., fingerprint, facial recognition, etc.). MFA increases security tremendously. It is almost impossible for attackers to break MFA. Even if credentials are stolen or leaked, they cannot be used because the second factor still provides protection.

3. Multifactor Authentication

Multifactor authentication (MFA, also 2-factor authentication, 2FA) means that at least two different factors are required to log in.

There are knowledge factors (e.g., password, PIN, etc.), possession factors (e.g., smartphone, token, etc.), and biometric factors (e.g., fingerprint, facial recognition, etc.). MFA increases security tremendously. It is almost impossible for attackers to break MFA.

Even if credentials are stolen or leaked, they cannot be used because the second factor still provides protection.

4. Consider User Experience
Security and usability are often seen as opposites. However, this need not and should not be the case. Various security measures that were considered necessary in the past led to even greater vulnerabilities due to a lack of usability. A good example of this is the frequent changing of passwords. It was once assumed that doing so would render a stolen password ineffective for an extended period of time. However, frequent changing results in passwords that follow certain patterns (for example, the month number is frequently appended to the end of the password). If an attacker has one password, it is easy to guess the next one. Moreover, frequent password changes lead users to write down their passwords. Nowadays, the recommendation is not to change the password too often. Once a year is sufficient. In addition, a password must be changed whenever there is suspicion that it has been stolen. Services that search data leaks for email addresses (such as haveibeenpwned.com) can be useful for this purpose.

4. Consider User Experience

Security and usability are often seen as opposites. However, this need not and should not be the case. Various security measures that were considered necessary in the past led to even greater vulnerabilities due to a lack of usability. A good example of this is the frequent changing of passwords.

It was once assumed that doing so would render a stolen password ineffective for an extended period of time. However, frequent changing results in passwords that follow certain patterns (for example, the month number is frequently appended to the end of the password). If an attacker has one password, it is easy to guess the next one.

Moreover, frequent password changes lead users to write down their passwords. Nowadays, the recommendation is not to change the password too often. Once a year is sufficient. In addition, a password must be changed whenever there is suspicion that it has been stolen. Services that search data leaks for email addresses (such as haveibeenpwned.com) can be useful for this purpose.

5. Notifications
The user should be notified of any “conspicuous” activity. For example, if a password is changed or reset, the user should be informed accordingly. If more login failures are registered, the user should be informed. If a login from another country has occurred, the user should be informed. This allows the user to intervene in the event of an anomaly, such as changing his password.

5. Notifications

The user should be notified of any “conspicuous” activity. For example, if a password is changed or reset, the user should be informed accordingly. If more login failures are registered, the user should be informed.

If a login from another country has occurred, the user should be informed. This allows the user to intervene in the event of an anomaly, such as changing his password.

Other measures that improve user experience and security include:

Allow copy/paste:
Some sites do not allow copying a value into the password field. Because password managers should be used in general, copying the password from the password manager to the password field should be permitted.
“Show password” function:
This allows a user to see their entered password briefly in order to correct any typos. This allows users to enter long passwords without errors. If you have to restart typing every time you make a mistake, you'll be tempted to use shorter passwords.

In conclusion:

If you follow these basic rules, you are already well on your way to better password security.
For further or more precise guidelines, there are standards such as the OWASP ASVS.

We are happy to help you implement and test them!

Do you have questions about BearingPoint Advanced Threat Inspection?
If you would like to learn more about how to identify your IT vulnerabilities and strengthen your protection against attackers, please contact our experienced security experts. We are always available to answer your questions.

Contact our Team

It always starts with a conversation

Let‘s talk about how we can improve your security posture – today!

Get in touch