September 27th, 2021
Although the concept of the password is hundreds of years old, the modern password as we know it today was first introduced by Fernando Corbató, a prominent figure in the field of computer science. Since then, the password has become a foundational element of cybersecurity, and it’s often the first line of defense in protecting user accounts and sensitive data from unauthorized access.
That being said, 77% of organizations consulted in EY’s Global Information Security Survey say they have seen an increase in disruptive security attacks, and it was also reported in Verizon’s 2020 Data Breach Investigations Report (DBIR) that that over 80% of hacking-related breaches involved the use of lost or stolen credentials. Add that to the well known statistic that less than a quarter of Americans use password management tools and you start to understand the pressing need for proper password management.
So, in this InfoSec Series article, we’ll do a deep dive into proper password management and how to keep your passwords safe. We’ll review everything from what makes a password safe, how hackers approach breaching password security, and how to properly create, store and sync passwords so that your organization and project can keep the information you house much more secure.
When it comes to cybersecurity, and more specifically infosec, password management is critical in defending your information and organization from cybercriminals. Beyond firewalls, malware protection, VPNs, and other cybersecurity tools, passwords are often the only thing protecting confidential information like company data, intellectual property, seed phrases, and the private keys of cryptocurrency wallets.
Of course, there are technologies such as SSO (Single Sign-On) and biometrics, however, these sorts of tools are still typically coupled with a password at some point in their authentication process to ensure a greater level of security. This ultimately means that infosec is highly dependent on passwords, and the secure generation and management of those passwords.
All things considered, secure password management and keeping your passwords safe starts with having an ultra secure password in and of itself. There are a number of things that make a password strong, and you should always use common sense and avoid typical passwords such as your birthday, a succession of numbers or letters, or single words and short passwords.
But in order to really understand how to create a strong password, it’s important to understand how passwords get hacked in the first place. Here are a few of the typical ways cybercriminals obtain password credentials:
Especially when it comes to brute force attacks and dictionary attacks, having your password information get compromised is far less likely when you have a strong password that follows specific guidelines. Below, we’ll explore how to ensure you create a strong password.
In many ways, good password management starts with having an ultra strong password. The stronger the password, the more difficult it is for a hacker to crack it, and here are the elements that actually make a less-hackable, strong password:
Using any one of the above guidelines in isolation isn’t enough, so you’ll want to ensure you use all of them (or, at the very least, a combination of several of them). For instance, having a password that is 12 characters long can take either milliseconds to hack, or billions of years to hack depending on how it’s formed. In fact, Express VPN, the VPN service provider, has an interesting online password safety tool that will show you how long it takes to crack a specific password. And although we don’t recommend you generate passwords with this online tool and use them to secure your information, it’s very helpful to see how much of a difference a special character, separator, or extra number can make to the security of your password.
In the rare case that your password is compromised after following the recommendations above, password management tools 1Password as well as things like Google’s built in security features can warn you when your email or password has been involved in data breaches.
As you can see, there’s quite a lot that goes into good password management and properly securing the information your passwords ultimately protect. And as a result of all the complexity around cybersecurity and infosec, one of the major areas that hackers try to exploit within organizations is cyber fatigue. People tend to experience cyber fatigue when they become overwhelmed with managing multiple passwords, PIN codes and accounts. That is, being inundated with prompts, credential requests and false positives that overtime may start to feel meaningless – although they are critical to information security.
One of the most powerful tools organizations can use as part of their infosec strategy and to help avoid cyber fatigue include password managers. Password managers remove the complexity involved in coming up with a secure password, storage, syncing, and monitoring among other things. Below, you’ll find a list of options for password managers you can consider as part of your password security strategy.
Depending on the devices you use, they may come with their own password generator and manager. For example Apple OSX users will be familiar with iCould Keychain and the Safari browser password manager. Firefox has Lockwise, and Google Chrome also has a native password manager that can generate passwords and also warn you if a password has been involved in a data breach. The advantage of these tools is that they are free and convenient, however an obvious drawback of these natively built in tools, outside of Firefox’s Lockwise, is that the passwords within them are tied to the ecosystem and can’t be used across platforms.
If syncing across multiple platforms including mobile is important to your operation, then you’ll want to consider tools such as 1Password, Keeper and Dashlane among others. These tools include useful features like password change history, data leak notifications, 2FA for greater security when new accounts instances are created, AES 256-bit encryption, and much more.
If your project or organization would rather manage passwords purely offline, one option includes the open source password manager KeePass. Many of the other options that allow online syncing can also be used offline, so if keeping your data totally offline or outside of public networks is important, these are the kinds of options you’ll want to consider.
Hackers have gotten more clever and continue to evolve their strategies for stealing password information. So beyond the password management tools themselves, you’ll want to equip yourself with the right knowledge of things you should do, and other things you should avoid when it comes to keeping your passwords safe. Here’s a list of password Do’s and Don’ts you’ll want to keep top of mind.
A secure password that is safely stored and synced is a critical step in your overall infosec strategy. But you can still take your security a step further through the use of multi-factor authentication apps such as Google Authenticator and Authy, hardware OTP tools like a Yubikey, and Google’s password alert extension for Chrome.
Proper password management and keeping your passwords safe is a key element to information security and keeping your data out of the hands of unauthorized users. And if you want to ensure your sensitive information and data are as safe as possible, reach out to our cybersecurity experts at firstname.lastname@example.org.