In this edition of our Security Series, Cyberhound as part of the Superloop Group, takes a closer look at what makes a secure password – and why.

Most people view computer passwords as a necessary evil – they know they should use strong passwords to protect sensitive information, but they’re a headache to manage and keep track of. In fact, it’s getting harder, with the average business user needing to manage 191 passwords according to recent research reports.

IT departments that insist that users change passwords regularly are compounding the problem – struggling to think of a new password whenever the dreaded “Your password must be changed” notification appears is enough to send people into a stunned stupor.

“The more often you ask someone to change their password, the weaker the passwords they typically choose,” says Prof Alan Woodward, University of Surrey.

Why do we use passwords?

Passwords serve a necessary purpose. The inconvenience of having to remember multiple passwords far outweighs the cost of our data getting compromised, our money siphoned from our bank accounts, and nefarious entities reading our private conversations.

The problem with passwords is that passwords that are easy for humans to remember are typically also easy for a machine to crack. In fact, recent studies show [1]that 90% of all passwords are vulnerable to attack in seconds.

The problem is that the most commonly used methods to make passwords stronger – such as using numbers or punctuation characters, or a mix of upper and lower case letters – end up making passwords harder to recall.

The basics of password security

Before delving into what is wrong with current passwords, and how to entice your business users to create more secure ones, it’s necessary to cover off the basics. By educating your users in these 5 best practices you can stop most of the human error when it comes to password management.

Top 5 best basics of password security

  1.   Ensure your users understand not to give out their passwords. This means not sharing business laptops with partners (or children). It also means not emailing passwords (either to themselves or others), sharing them or putting post-it notes on monitors. Passwords should be personal. At the very least, if someone needs to grant access to an application or computer, they should be able to easily change it then set a timeframe before changing the password back.
  2.   Passwords should not be saved anywhere in cleartext. This means in a notebook, Excel spreadsheet, or a text file. It also means not adding the password as a description to an Lightweight Directory Access Protocol account.
  3.   Ensure your users take precautions when logging onto computers they do not control(for example free computers at airports, hotels or other shared spaces). They should avoid logging onto services such as Gmail, or Facebook when using these shared computers and have their browser set to private, or incognito mode. Make sure they log out of public computers when finished.
  4.  Ensure all computers have VPN access for users that travel, to protect them from free WIFI network snoopers.  Examples include Express-VPN, X-VPN, or PIA. Some of these services offer free and annual subscriptions. They all provide a secure open-Wi-Fi connection, otherwise it is trivial for someone to literally view the packets in the air, and see any usernames and passwords sent in cleartext.
  5.  Ensure users understand why it’s dangerous to re-use passwords across different accounts. As shown by two data breaches that revealed[2] a password reuse rate of 31% among victims.

[1] http://www.computerworld.com, 1 May 2017

[2] 99% of compromised user accounts come from password reuse, CSO heavy hitters reveal