Most computer systems rely on usernames and passwords for a fundamentally important reason. The username identifies who a user is and provides information regarding what that user is authorized to view or do. Like a physical key, a user's password confirms their identity and access to otherwise restricted information. If an attacker steals a user's password, they can access sensitive company information. While password creation is the most cumbersome aspect of today's digital economy, there are basic practices that can offer robust protection, so read on to find out how to strengthen your passwords.
Advice for everyone
As an employee or business owner, you likely use passwords for everything from email to payroll to CRM systems. Unfortunately, in many cases, a hacker can ruin your business just by guessing your password to one of these systems and mocking up a fraudulent invoice, or sending an email asking for payment to be redirected. Accordingly, you should protect the passwords that protect your business. The following are sound password practices that are simple to implement:
Don't reuse passwords.
Many people use the same password for dozens of services, from their local newspaper subscription to their bank account. Hackers know this and actively go after these passwords in the hopes they'll gain access to multiple accounts. Data breaches from sites and services like LinkedIn, including passwords, are available for sale on the dark web, and hackers already make ready use of these. The Coalition's Control
dashboard can show you compromised usernames and passwords, giving you a chance to change those passwords.
Use strong passwords
It's both cheap and easy for a hacker to write a program that guesses your password millions of times per second. Hackers try every word in the dictionary, city, state, person, team name, and possible birthday or anniversary (common elements in a password). You may have been told to use a mix of capital and lower-case letters, numbers, and symbols, but most people change "o" s to "0" s or add a "1" or an "!" to the end of their password. Thus, this advice is unhelpful because hackers know these patterns and will try those passwords (or p@ssw0rds). Instead, it would be best if you used a randomly-generated password or a long passphrase — something like MyFavoriteCakeIsChocolateWithPeanutButterFrosting. That passphrase would take thousands of years
for an attacker to guess and is easier to remember. As the popular blog XKCD has pointed out
, "through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."
Password managers to the rescue
Passwords have been painful for years, and following these new rules might seem impossible. However, Password managers can make things simpler. Password managers are programs designed to take care of all the heavy lifting by keeping track of your different accounts and passwords. They protect these keys to the kingdom with a strong passphrase that locks your digital vault of usernames and passwords. They are typically accessible across multiple devices, so your passwords follow you securely wherever you are. The following are Coalition's recommendations for using a password manager.
Online services like LastPass
, and Dashlane
allow you to manage all your passwords across devices with a single account and often offer additional features like encrypted note-taking and secure password sharing. Although sharing passwords is not ideal, there are some legitimate reasons to share, and a password manager is a superior alternative to emailing or writing down a password.
Operating systems and browsers may offer a built-in password manager. Firefox, Chrome, Microsoft Edge/Windows, and Apple's iCloud allow you to store and retrieve passwords anywhere you're signed into a respective account.
Are you running your own Web App?
If your business produces a web application and you are managing user accounts and passwords, you should implement policies and system configurations that enforce good password hygiene. If your users create accounts with you, this opens you up to potentially significant security issues and liability if you do not take precautions against account hijacking. This can include fraudulent sales, disgruntled customers, and possible fines if sensitive information (such as payment, privacy, or healthcare data) is compromised.
To mitigate the risk of handling and storing passwords, there are a few principles you should adhere to:
Never store passwords
One of the bedrocks of modern cybersecurity is password hashing
, which uses an encryption algorithm to create "hashes" from passwords. It can be used to store and verify a user's password without storing the password in a form that a hacker can use. It's sort of like a fingerprint; if you store someone's fingerprint, you can verify their identity by asking for it again, but unless they can manufacture a fake thumb, someone with a copy of their fingerprint can't impersonate them. Hashing passwords means that, even if an attacker gets access to your database of usernames and passwords, they can't just log in as those users. Most modern web frameworks, such as Django or Ruby on Rails, will handle this for you, but it is important to check that your framework supports hashing and that you've enabled it (if applicable). This should be part of your application security testing program.
Require strong passwords
A weak password renders all other protections useless. You should give your users the same advice we've given you when choosing a password, and if possible, you should bar them from creating or using a weak password. The old days of 8 character passwords with numbers and special characters are over — instead, make sure you check user-created passwords against lists of common passwords or dictionary words. Several software libraries will check how strong a password is for you; at Coalition, we use DropBox's zxcvbn
Additionally, don't require users to change passwords periodically since this encourages weak passwords. You can use randomly-generated passwords or long passphrases indefinitely unless you have an indication of compromise. For high-security applications, a yearly passphrase change is sufficient.
Limit login attempts
Even with strong password requirements, attackers may try to guess all possible passwords (known as a brute force attack). You can make guessing passwords nearly impossible by limiting failed login attempts. For example, if an attacker tries to log in with five different passwords, the user's account is locked, and the attacker can't continue the attack. Of course, there is a risk that a legitimate user may enter their password incorrectly and lock themself out of the system, so it's advisable to have a process for legitimate users to unlock their account, either by contacting support or waiting a predefined period of time.
Use multi-factor authentication (MFA)
Passwords are one way you can authenticate that you are a particular user by proving that you know something. You can also authenticate by proving you have a particular device (such as a trusted smartphone or key fob) or by biometrics such as a fingerprint or face scan. Although this is a post about passwords, if the system and data in question are highly sensitive it might be appropriate to consider more than just passwords — in addition to a strong password/passphrase, MFA can reduce the chances of a successful account compromise
Taking these basic precautions for your accounts and implementing them for your users does require effort. However, given the quickly evolving nature of cyber threats and the unfortunate increase in losses due to cyber attacks, they are well worth the added effort. Guidance on passwords has evolved over the years, and the most current guidance (random passwords or passphrases stored in a password manager) are the first to make life easier for users.
Coalition Control takes your security to the next level
Coalition policyholders can access our full suite of security tools with Coalition Control
. There you'll find information not only about compromised user accounts in your organization but also gain access to discounted and free security tools from our partner network.
Oh, and by the way, Coalition Control offers free attack surface monitoring for any organization; you don’t need to be a cyber insurance policyholder to get some of the benefits of our industry-leading cyber risk management platform. Sign up and try it out for your organization right now