Password best practice – five ways to boost your organisation's security

Cybersecurity is a topic that should be on the mind of everyone who works in an asset management firm. The risk of having sensitive data stolen or your content highjacked or vital core IT systems compromised is just too great to countenance, and likely to result in serious damage to a business.
Staying one step ahead of the cybercriminals is the key, and this means having all security procedures and processes in an ongoing state of review. This should cover everything from the physical security of your premises to the testing and deployment of software patches, and all the bits in between – no matter how seemingly insignificant they are.
Very often it isn’t going to be a crack team of highly-trained, state-sponsored cybercriminals who will be trying to break into your system. It’s more likely to be opportunists (hacktivists) who have found a weak link in your defences. And that weak link could very well be in your password policy.
For years, we’ve been told to create passwords using a combination of letters and numbers, uppercase and lowercase, with some non-alphanumeric symbols in the mix too. Whilst this approach means we have passwords that are random and can’t be easily guessed or cracked using word lists, it turns out that we’re actually making ourselves more vulnerable to hacking if we are following this advice.
The above guidelines were actually published by the National Institute for Science and Technology in the US back in 2003. The man behind the advice, Bill Burr, also recommended that users should have to reset passwords every 90 days. But earlier this month, he made a startling confession – he got it wrong.
The result of his advice was that millions of office workers were writing their passwords down in notebooks or even on sticky notes that they attached to their monitor so they could remember them. Even worse, they would use the same password for several different services, meaning that if a cybercriminal could crack one, he or she could access a whole lot more than just an email account. And when workers came to change their passwords, they’d often only alter a single character, which is not exactly enough to stop a determined cybercriminal either.
Given that passwords are such a problematic area when it comes to cybersecurity, what should we all be doing to mitigate risk and ensure there are no weak links? Well, here are five guidelines we’d suggest:
1. Use phrases
First of all we can create more memorable passwords using a series of words that we have randomly selected but we can still remember easily. Using a password such as “picturebiscuitcandleglass” – although long – will be much more secure against a so-called brute force attack than a shorter mix of letters, numbers and symbols, and easier for the user to remember. And if you want to quantify how much more secure it would be, a short alphanumeric password including some symbols would probably take a few days to crack using standard methods. A phrase-based password using four random words would take more like 500 years.
This technique has become increasingly popularized through the concept of diceware to generate random, unguessable but never-the-less memorable passwords. A young lady by the name of Mira Modi is even making a living out of it!
2. Don’t re-use passwords
You still need to be using different passwords for each separate service you need to log into. Re-using passwords might save the user a bit of time and brainpower, but it is a significant security risk. It should be easier for us to remember the phrase-based passwords suggested above, therefore it should be less taxing for them to use different passwords for different services too.
3. Use a password manager
With a password manager, you only have to remember one password that will give you access to all those other passwords. It’s not practical to remember every username and password you have to log into all those systems with, which is why we keep reusing passwords. If we store these user credentials safely and protect them, we can follow the recommendations and security advice without the problems of running out of memory. It’s not dissimilar to putting your valuables in a safe.
4. Have a coherent, company-wide policy
A chain is only as strong as its weakest link. It’s all very well to get your in-house staff using different phrase-based passwords for each service, but if your senior executives aren’t following the same advice the system is still insecure. Similarly, removing Post-It notes with passwords written on them from all of the workstations in your office is all well and good, but if just one of your sales reps has one stuck to his laptop, everything is still at risk.
5. Consider two-factor authentication
If you’re not familiar with the term, this simply means that a user needs to verify that they are permitted to access the system via two different methods at the same time. Typically the first factor is something you know such as your password and the second factor is based on something you have such as a text message on your phone. The chances of a hacker having access to both are much smaller. You probably use this already to log in to your bank account.
Many large organisations use two-factor authentication for remote access already because it is a very effective way of bolstering one of their most vulnerable areas.
If you weren’t aware that best-practice guidelines for password policies had changed, then it’s possible that you’re not as up-to-date with everything that’s going on in the world of cybersecurity as you should be. It isn’t just the IT department that should be on top of these things – everyone in the organisation needs to be aware of the risks of cybercrime. There are plenty of good resources out there, and of course you’ll find regular articles here on the Kurtosys blog.