Quick and Dirty Password Security: Best Practices for Strong Passwords

Sometimes I feel like Noah.  I preach network and password security all day every day, and most of the time people don’t believe a breach could really happen to them.  They are warned that rain is coming, but no one believes it until they hear thunder and start getting soaked.

I am a certified Payment Card Industry Professional, as well as an Apple Certified Support Professional and a CompTIA S+ certified security advisor. I work with small businesses and CEOs spend a lot of time talking to clients about security. We get calls from business owners and entrepreneurs on a daily basis with reports of being hacked, or having accounts compromised.  From business loans taken out fraudulently to faked documents that caused vendors to make payments to fraudulent offshore accounts, we have seen just about every variation of hack out there.  However, there are new trends in hacking of which to take notice, and I wanted to take a few minutes to answer the most common password-related questions we hear.

With the recent reports of public figures being hacked and their digital assets being sold on the black market, I have seen a lot of advice from folks as to how long your passwords should be, how often they should be changed, and whether or not to use a password manager.  This is all a bit confusing, and I feel that many users are receiving advice that may not necessarily be incorrect, but doesn’t quite inform the user well enough to be able to decide for themselves and understand the reasons behind the suggestions.

So for this article I would like to give you real password and security best practices based on the leaders in the industry and the rules for compliance and safety generally observed in secure environments.

I advise clients based on principles that the leaders in the IT security industry have created to facilitate secure networks. The cues for our field are based on “compliance” requirements, usually HIPAA (Health Insurance Portability and Accountability Act) and PCIC (Payment Card Industry Council) which have been determined to be most secure.  I say this so readers know that what we outline below isn’t an opinion, but is based on the rules companies are required to follow in order to be considered secure.

Ok, with the boring stuff over,  let’s talk security!

What makes a good password?

  • The standard for PCI is AT LEAST 7 characters long.

 

  • The password should contain 4 types of characters; uppercase, lowercase, punctuation, and numbers.

 

  • The password SHOULD NOT contain a dictionary word.  If it contains a word found in the dictionary, even when combined with numbers or punctuation, the time taken to crack the password is drastically reduced.

 

  • DO NOT repeat passwords you have used in the past. In general, do not repeat any of the last 6 passwords you have used.

 

  • You should change your password every 30 days. Now, this is the standard, and I am often asked “Does anyone actually do that?” The answer is yes, but most settle around changing the password every 90 days.  It’s up to each user to determine the level of acceptable risk.

 

  • Whatever system you are connecting to (social media, server, service, etc) should lock the user out after 5 attempts.  Many services do not comply with this yet, but we are starting to see a shift to better lockout policies.

 

  • Each service such as Facebook, Dropbox, iCloud, etc should have a unique password.  This means no using the same password for everything you sign into!

 

  • You should not allow your device or browser to “keep you logged in”

 

  • ALWAYS use two-factor authentication if it is available. Two-factor authentication is logging in with more than one challenge, such as, one password dialogue followed by a security question.  This type of authentication is exponentially more secure.

In addition, contrary to many opinions, a password CAN be too long.  If the password is so long that you can’t remember it, it is not a good password.  A secure password should only exist only in your head. If you have to write it down, it is a bad password.

An executive once told me that his password was impossible to hack. 24 characters long, 4 types of characters, unbreakable. I took a quick look at his desk calendar and saw a 24 digit string with 4 types of characters. I asked “Is that your password?”  He grinned and admitted it was.

Any stored or written password is a bad password.

What about password managers?

This is a topic that invites many different opinions.

A password manager program is an app which encrypts and stores all your individual passwords in a digital lockbox protected by a single password or two-factor master password.

Some people, including IT security experts and CIOs, swear by password manager programs, and others would never consider using one. So with opinions so firmly divided, let’s look at the reasoning.

Many well respected IT leaders say that there is “no viable reason” not to trust a password manager application.  Many apps use two-factor authentication for the master password to access other stored passwords.  This is great, but for every person in the industry that advises the use of password managers, there are at least as many professionals who can’t make that recommendation.

Regardless of encryption used, or multiple factors protecting the password program master password, there is still a single password protecting the rest of your passwords.

Think of it like this: if your kids are in your house and danger is outside, would you rather have a different key for each room in the house, or two keys for the front door with all other doors unlocked?  To many security professionals, password managers represent exposure to unnecessary risk.

In general, the prevalent opinion is that storing or saving a password in a password manager program is the same as writing it down. Written passwords are considered insecure, so most IT professionals will not consider password managers as an option.

Let’s go to compliance standards for the tiebreaker.

Based on PCI and HIPAA compliance standards, password managers are not allowed.

I asked my two boys, 15 and 13, which they would rather have: 5 treasure chests locked with a key for each, or one chest containing the loot from all the others, with that chest being locked with 2 keys. The youngest said, “It sounds like with one chest we are saving the thieves a lot of work. It’s easier to find 2 keys than 5.”  This makes sense to me, and that’s one of the reasons why I don’t recommend password managers to any of our clients.

Please feel free to shoot any security related questions to @availabletech on twitter and pick up my Small Business Security book next month from Amazon or https://available-tech.net.

Mike Lane, Available Technology Inc
http://dmichaellane.com