Password Security: Part One – Implementing a Passphrase Standard

While protecting an organization’s network from the threat of hackers is a complex task, doing so starts at a rudimentary level. By ensuring every employee is vigilant in implementing proper password security practices, an organization can greatly mitigate the risk of a total network takeover.

Simply put, Rocket IT suggests that an organization’s leaders start by mandating a series of company-wide password security rules. Although our newest blog, found here, discusses advanced security measures, it’s important to start by addressing the foundational cause of security breaches, a lack of password complexity.

 

The Man Responsible for Standard Password Practices Has Apologized

In 2003, the National Institute of Standards and Technology (NIST) drafted a detailed guide on how to “effectively” generate secure passwords. In a mere eight pages, Bill Burr, a previous manager at NIST, established the regulations that would soon define over a decade of password security standards. Despite the ever-evolving state of the Internet, almost every website still recommends users abide by these pre-dated regulations.

That said, in 2017, Burr broke his silence, admitting that many of those previously issued recommendations are no longer effective in providing strong password security. In fact, not only are some of his previous suggestions obsolete, they’re downright frustrating. Have you ever experienced an IT person constantly badgering you to regularly change your password? Did you find it difficult to create cryptic [su_tooltip style=”blue” position=”north” rounded=”yes” content=”An informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters that resemble the letters in appearance.”]leetspeak[/su_tooltip] passwords, comprised of alphabetic, numeric, and symbolic characters? You have Burr to thank for those, now irrelevant, annoyances.

Nevertheless, here we are, in 2019, with little done to reflect the new password security changes NIST has issued. Instead, the mission of blazing a new trail in password security has fallen on the shoulders of concerned IT organizations, striving to better support their clients. Unfortunately, it’s difficult to persuade public opinion, and many web-users refuse to stray from these old password recommendations. Many times, when we first meet with a new client, a hefty number of its employees still believe that a password, containing eight to 14 randomly generated characters, provides enough complexity to protect their accounts and the assets contained within.

 

Research Shows You May Be at Risk

If you haven’t been convinced already, this method is a far cry from being effective. Alternatively, Rocket IT’s Founder and CEO, Matt Hyatt, argues that it is important to focus on extending the length of a password, rather than prioritizing its sheer randomness. While, to many, this recommendation appears to be a drastic shift from the established norm, new research gives a heightened level of support to Hyatt’s proposal.  

In a study, conducted by the software security company, KnowBe4, it was found that hackers can crack an account using old password standards in under a minute. Yes, that’s right, a cybercriminal can gain access to your most valuable information in less time than it takes to microwave a bag of popcorn. And once in, they’re free to sit back and snack on said popcorn while their automated tools use your credentials to access the organization’s active directory, extracting the passwords of your fellow colleagues. Taking things a step further, this same cybercriminal can then install a [su_tooltip style=”blue” position=”north” rounded=”yes” content=”A computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information.”]keylogger[/su_tooltip] on each employees’ computer, resulting in a background application that silently tracks each keystroke a user enters into his or her computer. By doing this, the hacker increases the scale, impact, and longevity of the breach.

Now, you may be left wondering, what exactly are the repercussions of a breach like this? Well, along with gaining free reign over your organization’s local files, your personal livelihood is at stake. Recently, an organization impacted by a security breach reached out to Rocket IT. Along with having the security of its confidential files compromised, hackers were able to access the online banking and iTunes accounts of several employees, stealing thousands of dollars from some unfortunate team members. While Rocket IT assisted the organization in regaining control of its network security, employees who were personally impacted by financial theft were left to contact their insurance providers.

 

Solution One: Implement a “Passphrase” Standard

If this leaves you with some concerns, just know there are measures you can take to ensure you and your organization do not feel the pain associated with these attacks. For one, it’s important you ditch the predefined notion of a “password”, and make a shift towards using intricate “passphrases” when generating login credentials. Although Rocket IT believes it is important that you create passphrases with a minimum of 25 characters, this isn’t to say that they have to be difficult to remember. Instead, we recommend setting your passphrases as the current goals you regularly think about. For example, the passphrase “myGoalistolose10Poundsby2019!” contains 29 characters, both capital and lowercase letters, a mix of alphabetical and numerical characters, and a symbol. Using this simple and free method ensures your account exceeds the new standard placed on password security, greatly alleviating the worry of being hacked.

By adopting this newly defined passphrase standard, cybercriminals will find it far more difficult to use brute-force to unlock your account. A brute-force attack refers to an attack in which a hacker repeatedly enters a series of passwords, in hopes of finding one that correctly matches the password associated with your account. While straightforward and simple in nature, hackers occasionally find success using this method. Therefore, to protect against these attempts, Rocket IT recommends clients enforce a strict lock-out policy. By implementing this policy, users that incorrectly enter a password three times are unable to try again for a predetermined period of time. If the user continues to incorrectly enter the user’s credentials, this time period continues to increase.

 

Looking to Enhance Your Security Stronghold?

As you can tell, a simple precautionary measure, such as adopting a new passphrase standard, can lay the foundation blocks for an organization to build its network security upon. Now that you have a firm grasp on passphrases, and what they entail, we can dive deeper into advanced password security practices.

In part two of our three-part series, we’ll take look at the importance of using multiple unique passphrases, while also giving you some handy methods to keep track of all your new login credentials.  

To stay up-to-date on these releases, we encourage you to sign up for the Rocket IT newsletter, or follow us on Facebook, Twitter, and LinkedIn. In the meantime, if you believe your organization’s current password security practices need immediate rectification, please feel free to reach out. Rocket IT is here to help, day or night. Simply give us a call at (770) 441-2520, or visit https://rocketit.com/ for more information.

Together, we can help your business thrive.