We all hate it when our companies make us change our passwords every 60 days. But they do it for a reason! It’s more secure!
With all of the hoopla over the leaked celebrity scandalous pictures, I thought I’d revisit a topic that’s been covered to DEATH, but no one seems to really take the advice of the experts.
Password protection isn’t just in the hands of companies, it’s in the hands of users too. It’s not just “use long passwords” either. Hackers with access to fast compute resources can crack 16 character passwords in under an hour using a dictionary brute-force attack.
Stanford’s network admins have a password policy that could be a good idea for remembering easier passwords. (until processors can handle 20 character passwords)
Here are some things companies and employers can do to help secure passwords:
- HASH the passwords (with a salt preferably). NEVER store anything plain text ever.
- Encrypt the channels between the password databases and the systems accessing them.
- Encrypt the databases themselves
- LOCK down access to the password database.
- Force the use of a password at LEAST 12 characters long.
- Force special character usage
- Force numerical character usage
- Force multiple uppercase usage
- Use a dictionary of your own to DISALLOW words in the dictionary
- Use 2 factor authentication for EVERYTHING
- Force a password change after 1-2 failures (mentioned in my East-to-West Security blog post)
- Force password changes every so often
- Remove “stale” users
- ENFORCE your password security policy. (If you see passwords on post-it notes, discipline them!!)
- Monitor “unusual” login sources (i.e. Different Countries)
- Don’t allow password REUSE
- Restrict application access to lowest common setting. Don’t give users too much power!
- Deploy brute-force and intrusion detection systems!
- Deploy centralized management servers (RADIUS, TACACS, LDAP)
- Deploy Secure Tokens
- Regularly change your WiFi access point passwords
- Don’t use plain-text applications (Use SCP, SSH, HTTPS, etc)
Here are some things end users can do to secure passwords:
- Don’t share your password with ANYONE!!! ANYONE… EVER!! Even if you know them and they’re “trying to help”
- Use a different password for every service/login
- Never “stay logged in”
- Do NOT use the “remember me” or “remember password” feature
- DON’T WRITE YOUR PASSWORDS DOWN! (Physically)
- DON’T WRITE YOUR PASSWORDS DOWN! (Electronically, e-mail, text, whatever)
- Change passwords regularly
- If the service allows for 2 Factor Authentication… USE IT!
- Be aware of “social engineering”. Good “social hackers” can guess your passwords after a couple of drinks at a bar.
- Don’t use ANY of these 500 passwords. (or ANY remotely similar)
- Use phrases that are easy for you to remember, but hard to brute-force (i_l!K3_t0_E/-\t_l@5aGn/-\)
- Use the longest password possible
- Never enter a password on a website that isn’t encrypted and trusted (that little lock screen)
- If you choose to use applications like 1password, ensure they are using 256bit encryption
- REPORT anyone asking for your password