Rethinking the Password – Part 2

Cyber Security

January 30, 2018

James Murphy is one of our Security Consultants at CTO Group. Contact him directly via email or through his LinkedIn account.

In Part 1 of this blog I explained how you can improve your credential security by using passphrases instead of passwords. This is a step in the right direction, but it’s limited in its effectiveness due to two main problems. The first is that not all cloud services allow longer passwords. The second is that even if you have a secure password, it can still be stolen by a key-logger or through a data breach.

An example of a cloud service with restrictive password limitations is Office 365, which limits passwords to 16 characters. The problem isn’t necessarily protection against brute-force, as Office 365 will automatically lock the account after a few incorrect login attempts. The issue is that limiting the user to 16 characters pushes them back towards those bad habits I mentioned in Part 1 – using predictable patterns in short passwords.

However, there is good news. Multi-factor authentication improves the security of your account by adding the ‘something you have’ factor, being a code or a phone call, to the ‘something you know’ factor, being your passphrase. MFA requires you to enter a code or action a request in order for you to complete the login process. This helps protect you because even if a hacker knows your credentials and tries to log in to your account, they’ll still need that second factor. Because it’s something you have with you, like an app on your phone, it’s very difficult for them to gain access to that one-time code or authorisation request. Assuming you have MFA enabled, they won’t be able to access your account.

Office 365 offers multi-factor authentication (MFA), but it does need to be enabled by your organisation before you can utilise it on your account. In these instances, you can talk to your organisation to see if they will enable it for your account. If not, unfortunately, you’re out of luck. To minimise risk, ensure that you use a password which is unique from any of your other accounts.

Creating simpler and memorable passphrases was the first challenge. The second challenge is not using the same passphrase across platforms. Given the difficulty we have remembering our passphrases, it’s natural that once we remember one, we reuse it on multiple services. Passphrase or password reuse makes it possible to employ [credential stuffing](, in which the “bad guys” take your leaked credentials and test them on unrelated popular sites and services to see what sticks.
In 2012, LinkedIn had a massive breach. Approximately 6.5 million emails and encrypted passwords were stolen and posted online, which is bad enough on its own. In 2016 though, another 117 million credentials from the same 2012 leak were uploaded. According to [the Motherboard report](, hackers cracked 90% of the passwords within 72 hours, and many of these cracked passwords were still in use by LinkedIn users.

Some of these users’ other accounts would have been compromised along with their LinkedIn profiles, through the use of credential stuffing. If these users had employed a password manager to generate unique credentials, their other accounts would have been safe. Government departments have also had breaches involving the loss of passwords. As a general rule, it is best to not use the same password for work and personal accounts.

There are several password managers available, some which operate in the cloud and synchronise with applications and browser extensions, and others that are simply a stand-alone application that uses an offline database. It’s best to research the different types, and choose one that best meets your needs. You need to be confident in the security of the password manager you choose to use, as you are putting a lot of trust in the service to keep your credentials safe.

So, where to next?

  • Start by reviewing the ASD’s information security advice, as well as the information on other authorities’ sites such as and
  • Read [this blog post by Troy Hunt]( – a good summary of the current thinking around passwords and passphrases, and the need to evolve
  • Perform a review of all your accounts, use a password manager to store unique credentials for each account, and enable MFA where possible