26/10/2018
OCSL Editor

Passwords are becoming increasingly important. Lots of tech companies are developing ways to make password management easier. But there are few general guidelines available on how to devise secure passwords.  Without doubt, every company needs to consider its own specific security requirements. But ultimately, external auditing means it is important to follow baseline standards too.

On closer examination, these so-called ‘standards’ include a surprising amount of variance globally.  Our security experts Marcel Reifenberger and Callum Butler take a closer look.

 

What do different security bodies around the world advise?

Global Password Standards  NIST (National Institute of Standards and Technology) – USA BSI (German Federal Office for Information Security) – Germany ENISA (European Union Agency for Network and Information Security) – EU NCSC (National Cyber Security Center) – UK
Digits At least 8 At least 8 (At least 14 for privileged user accounts) At least 8 Not specified
Validity/when to be changed On demand At least every 90 days

Periodically (not yet defined in detail)

On demand
Complexity Not specified aA1$ (Mix of lower case, upper case, numbers, special characters) aA1$ (Mix of lower case, upper case, numbers, special characters) Not specified
Accepted failed attempts Not specified Up to 5 Not specified Up to or equal to 10
Secure questions mandatory No

Yes (in relation to the risk applicable)

Not specified Not specified
Default passwords No Prohibited Needs to be changed prior to delivery Needs to be changed prior to delivery
Multi-Factor-Authentication (MFA) Recommended Recommended Recommended Recommended

As you can see, advice varies widely. So, how should systems be configured, awareness measures defined and employees trained if no real baseline exists?

The best way, is to “think like a hacker”. By understanding all possible ways to crack passwords and gain access to your data, you have a greater chance of developing an effective password strategy.

What are some of the most common ways to crack passwords?

  • Interception or Man-in-the-Middle Attacks – This commonly happens on unsecured networks where attackers can easily intercept traffic to sniff out passwords.
  • Brute forcing – Attackers use a list of passwords they have on their systems and try each of these on your username. Usually in an automated fashion using opensource tools.
  • Shoulder surfing – Exactly how it sounds.  Attackers simply steal passwords just by looking over your shoulder at your keyboard.
  • Social engineering –Unsuspecting users are tricked into visiting cloned sites. OR, are manipulated at a social level, over the phone or face-to-face.
  • Key logging – An attacker captures every key you type by exploiting your machine or the actual keyboard itself.
  • Screen capturing –  Using software known as Remote Access Trojans, attackers capture your screen.  Combined with keylogging this gives access to your different passwords. (Assuming you have different passwords!)
  • Searching and stealing – Attackers buy dictionary passwords online or by stealing hash values from remotely logged on machines through a tool called mimikatz.
  • Manual guessing – Simple yet effective, using knowledge about the individual.
  • Token theft or Token Replay – On poorly coded websites, hackers can capture login tokens. By re-using the token, they gain access to your account. They don’t even need you user name.

So, we’ve covered off security and baseline standards, as well as some of the different ways to crack passwords, Now, let’s take a look at password protection itself.

5 Common Myths about Password Protection:

  1. It’s all about the length  - Length may help a bit. But AI, Big Data and quantum computers can crack passwords of any length in a minute. So longer passwords alone will not secure your systems.
  2. Entering complex passwords (Up to 8 digits) takes too long - Nowadays biometric authentication methods (e.g. facial recognition or fingerprint) as well as Single Sign-On (SSO) can decrease authentication time frame down to a single second.
  3. 2FA will solve any issues - True - 99.9% of the time. Two Factor Authentication methods certainly reduce the possibility of your account being compromised; especially if it is a physical 2FA key. That is, randomly generated numbers required after logging in with your password. Software 2FA keys are also good but are more susceptible to attack if they are on your mobile device. (But remember anything can be hacked.) 
  4. Factory passwords can’t be changed - If they can’t be changed, I would step away from them, pronto! You wouldn’t buy a house without a secure door so why buy software or hardware that leaves your network wide open. If you are unsure or can’t find a way to change a factory password, email the vendor they SHOULD change the password for you or give you guidance. 
  5.  Password managers are awkward to use - Awkward maybe; but safer than a sticky note under your desk. Some password managers may be fiddly but trying to get your accounts back after a breach is going to be a lot more difficult. 

So, what are the top 5 ways to secure your network?

  1. Approve bigger budgets!!! Making employees security-aware is a massive task. It requires a comprehensive programme with significant investment.
  2. Apply at least 16 digits with a mix of lower case, upper case, numbers and special characters. BUT also teach employees to use uniquely memorable, but hard-to-crack password phrases. (For example, MycarisaFordMustangbuild1963!).
  3. Use alternative ways to login like fingerprint or 3d facial recognition wherever possible.
  4. Use Two Factor Authentication (2FA) and Single Sign-On (SSO) wherever possible.
  5. Rollout ONE company-wide easy to use password manager solution which is connected to all applications provided (e.g. by installing add-ons).

It goes without saying, you also need to ensure all your applications are fully tested to prevent the various methods of attack detailed above.

Thanks for reading,

We hope our recommendations will keep you safe in the future:
Marcel Reifenberger, CISO / CSO, @soc13tyhacker
Callum Butler, Cyber Security Analyst, @Callum_Butler

 

Find out more about our Security Services

OCSL is part of the CANCOM family; you can read this article in German here

Thought piece