In security, it’s usually the basic stuff that gets you — like passwords

passwords

There are some very smart hackers out there with access to the latest techniques and exploits, but time and again it has been observed that attackers don’t need to deploy the latest and greatest because they can achieve their goals with the older and basic. Why bother with something complex or burn a new tool by using it on a low-value target, when simple things like re-used passwords can get a hacker everything they need?

For example, let’s say you use your go-to, easy-to-remember username and password at a mom-and-pop retailer and hackers subsequently steal it. Or maybe hackers buy a block of username/password combinations on the black market. If you use the same username/password for your healthcare provider, a hacker can easily gain access to your most private and most valuable personal information.

We all know that we shouldn’t use the same password at multiple sites. And we also know that we shouldn’t use the same password for work accounts and personal ones, so that a successful attack on our personal accounts doesn’t give the attacker a foot in the door to our corporate network.

But we also know that remembering multiple passwords is difficult and best practices seem to change all the time. In fact, many of the standard password protection schemes that we’ve become accustomed to have been deemed ineffective and outdated. That’s according to guidelines from the National Institute of Standards and Technology (NIST), which are based on the premise that ease of use is an essential component of effective security.

Dos and don’ts of password protection

NIST recommends that companies and web sites that verify credentials do away with all of the requirements that supposedly make a password more difficult to crack, but also make it more difficult to remember, such as capitalization, special characters, numbers, etc. Instead, NIST recommends long passphrases made of real words, and encourages sites to allow people to enter as many as 64 characters in a single passphrase.

In addition, NIST says the common practice of requiring regular password updates should be discontinued because this has resulted in people choosing weaker passwords. Also, NIST calls for doing away with asking people to provide a “hint,” like the name of their first pet or mother’s maiden name, because hackers could gain access to that information.

NIST does recommend some additional measures, such as cross-checking a new password against a blacklist of compromised passwords, and rejecting passwords that are on the list. Other criteria for rejecting passwords include repetitive or sequential characters or numbers, passwords obtained from previous breaches, and context-specific words, such as the name of the bank or the person’s own name.

Security strategies that work

The best way to handle multiple passwords is to use password manager software, which saves all of your passwords and remembers which password is associated with which web site, so you don’t have to.

Another positive trend is the increased use of multi-factor authentication (MFA), which typically means getting a random number sent to your phone or email address and then entering that number in order to access the site.

As users become more accepting of this type of authentication, it makes sense for companies to deploy access control systems that call for the appropriate MFA level, depending on the specific circumstance – for example, an employee trying to connect from an unusual location.

And, since we know that it’s the basic security mistakes that come back to bite you, companies need to make a renewed push to educate employees on security best practices, including password protection and how to avoid phishing attacks.


Rhodri-Davies-headshotDr. Rhodri Davies works in the Managed Security Services section of DXC where he concentrates on the technologies required to secure DXC’s clients and the way those technologies are operated day-to-day in order to provide an effective service.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: