Web Security and Password Best Practices

Time for a password refresh!

Within the past two weeks, over 1 million decrypted passwords for some of the most popular mail and social media sites have been placed for sale on the Deep Web.  What this means for you is that there is a chance that your information is unknowingly available for sale.  A few of the sites involved in this data sale include gMail, Yahoo, LinkedIn, Tumblr, and Last.FM.

Password Best PracticesAn Australian security researcher has instituted a Website to allow you to see if any of your eMail accounts or usernames have been involved in a breach incident.  This site can be found at https://haveibeenpwned.com/

It is very simple to mitigate the threat associated with a password leak; log into your account and change your password.  However, careful thought should go into setting up your password and considerations should be made if you use the same password across multiple sites.  If you reuse your passwords across multiple sites, then from a security standpoint, all of the passwords should be changed as it is not unusual for attackers to attempt the same credentials gained in a breach across various services.  As for setting up your password, simple is not always better.  Nonetheless, overcomplexity in password design just makes it more difficult for you to access your account.  A strong balance between security and usability is necessary, as if your password makes it more difficult for you to remember, and in turn slows down the access of your account, then it is not a good fit.

If your password contains an actual word, it can often be cracked quickly.  The best recommendation is to use long passwords with a mix of Upper Case, Lower Case, Numbers, and special characters.  While previously the recommendation was 8 characters as a minimum, current technology using advanced hardware and software can effectively determine shorter passwords quickly. Currently, from a security standpoint, the use of 10 characters or more is not uncommon, but the question is frequently how does one remember a password of that length.

Password Strategies

Passwords do not need to look like I4t3|<4(3!, and can frequently be made more secure while creating them in a method can be readily remembered.  For example, if your name is Cathy Smith, you certainly would not want to use the password of Cathysmith; however, you could, effectively use number and character substitution, or munging to make your password that simple. Using substitution, your password could be C@hySm1th! and have a greater chance of surviving a password based attack. An additional consideration is the frequency in which you change your password. Depending on the sensitivity of your data, changing your password between 60 and 90 days would assist in further protecting your information.

Password Managers

Though previously, we had made recommendations that users utilize password managers to remember complex passwords, they too have unfortunately been breached due to weaker than expected security. Based on a recent article from TWCN, a key component used by many popular password manager applications possessed a security weakness, meaning your passwords were saved in a format that was easily reversible. While it is apparent that the password managers have fixed the issue now that the weakness has been discovered, it would be advantageous, for those of you using password managers before March 1, 2017, to change your passwords as soon as possible, as historic information has the potential to be compromised.

The following two tabs change content below.

Robert Rife

Robert Rife is Chief Engineer at Velocity Micro. A twenty-five year I.T. veteran with deep experience in process optimization, computer manufacturing, and physical/electronic security, Robert understands financial ramifications of technical decisions and is able to readily translate business needs to technology solutions. Since originally joining Velocity Micro in 2006, has held multiple positions ranging from desktop support to production and on to advanced engineering. Robert holds many degrees including an MBA specializing in IT Management, Masters of Science in Information Security Assurance, and a Masters of Education in Curriculum Design. He is currently in his third year of a Doctorate of Science program focusing on Information Security. He also holds over 50 industry certifications and was awarded an Information Security Professional and Management certificate from the Committee on National Security Systems.

Latest posts by Robert Rife (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *