Rethinking the Password – Part 1

Cyber Security

January 22, 2018

James Murphy is one of our Security Consultants at CTO Group. Contact him directly via email or through his LinkedIn account.

Imagine you discovered your company had been the victim of a massive data breach. The cause of the breach? A compromised password.

For most people, passwords are an irritation. How we currently use them has also proven to be terribly ineffective at protecting our accounts. Complexity rules and expiration dates dictate the structure of our passwords: “You need an uppercase letter, a number, a special character! Oh, and change it every month, please!”. These rules frustrate users, and the ways users meet these requirements makes it harder for them to remember their own passwords.
So, what do we do to avoid the horror situation outlined above? How do we protect our accounts and our data?

There are four simple things you can do immediately to strengthen your credentials:

  • Instead of passwords, use passphrases where possible
  • Use multi-factor authentication if available
  • Don’t reuse your passwords or passphrases
  • Use a password manager
  • As humans, we make patterns to simplify the process of creating and remembering passwords. This is the first challenge. Have you ever used the same password, but appended a number or date on to the end of it? If so, you’re not the only one. This behaviour makes it much easier for the “bad guys” because these patterns are easy to predict, allowing an intruder continued and undetected access to a system even after a password has expired and been reset.

    In October 2017, the Australian Signals Directorate (ASD) updated its [passphrase requirements](https://asd.gov.au/publications/protect/passphrase-requirements.htm) to simplify passwords for the user. The ASD recommends passphrases be at least 13 alphabetic characters, and if these are used as the sole method of authentication, the use of longer passphrases is encouraged. If your organisation isn’t yet ready for multi-factor authentication, longer passphrases can at least improve your basic password strength.

    A passphrase can simply be a phrase or set of words, ideally with a mixture of character types especially if the service you’re using requires them. Interestingly, Microsoft and NIST recommend the removal of character-composition requirements entirely. Though, if you’re going to stick to alphabetic characters only, ensure that you use a long string for your passphrase – five or six words minimum would be best.

    A strong example of a passphrase would be: “5 bears in the BATHROOM!” It’s long, silly and comedic, but easy to remember. The trick is to make something that flows, so it’s memorable, while still meeting most services’ complexity requirements. It’s much easier and simpler to use than something like “P@ssw0rd1!”, and far harder to crack. You can check the strength of a string at [How Secure Is My Password?](https://howsecureismypassword.net/) – don’t put your actual or potential password in here; use this only as a learning exercise! According to calculations, “5 bears in the BATHROOM!” would take 297 octillion years to crack but the annoying “P@ssw0rd1!” takes just six years. Six years might sound like a long time now, but that’s just one computer doing the work. Multiple machines can reduce this significantly, and the available computational power to perform brute-force attacks exponentially increases. In case you’re wondering, an “octillion” is a one followed by 27 zeroes – enormous!

    With cloud services becoming prevalent in almost any workplace, this further complicates matters. While your organisation may be able to control password policies in an internal environment, cloud providers enforce their own password policies which often will not meet your requirements. Unfortunately, you’re at the mercy of their rules, good or bad.

    Read on to Part 2 of this blog for more on how to deal with this.