World Password Day: Let’s Play a Game of “Fact or Fiction”
It’s May the Fourth and today is not only a day celebrated by Star Wars fans, but it’s also the date of another special holiday: World Password Day. On World Password Day, people and organizations around the globe take the pledge to improve their password habits. In honor of last year’s World Password Day, I shared a blog on “The Things I Taught My Mother About Password Safety.”
This year, we’ve decided to play a game: Fact or Fiction? With so much confusion and false advice around password security, it can be hard to sift through the heaps of information to uncover the most effective strategies for password management. In today’s blog, we cut through the noise and talk about what matters most.
Fact or Fiction? Corporate password policies are only necessary to pay attention to for “important” applications like financial applications.
Fiction. Security is all about the principle of the weakest link. An attacker will always go after the lowest rung first since it’s generally the easiest to infiltrate, before moving on from there to higher value targets. While a risk-based approach to security does work, that doesn’t mean you should only focus on those high-risk, high-value applications and leave the low-value areas unprotected – since that’s what attackers will be banking on.
Fact or Fiction? It’s safe to store your passwords in a notebook out of sight of your desk.
Fact. Well… kind of. So, for a SaaS application you’re probably far better off having a complex password on a sticky note than a memorable three-letter password kept in your head. To be clear, I’m not recommending post-it password policies — remember, the insider is our biggest risk and the next insider threat might be your coworker or an office cleaner. But realistically, when the adversary is physically remote, a notebook in a locked desk drawer is a better solution. But more generally it’s truly not in your best interest to write your passwords down where someone could spot them. Instead, consider using an easy-to-remember password scheme, like using the first letter of the words in a phrase or song mixed with the name of the application. These methods may not be the safest methods you can choose from – but overall a complex password that you need to write down to remember is always better than a short password that you won’t forget but is an easy guess or easily crackable.
Fact or Fiction? I can reuse my password if it’s really complex.
Fiction. Don’t reuse passwords. Period. Just look at several recent high-profile breaches to understand why. Following breaches like Dropbox and LinkedIn, hackers were able to reuse the username/password combos taken from those services in order to gain access to accounts on other services – taking advantage of the widespread bad habit of reusing passwords across platforms and applications.
Fact or Fiction? A long password doesn’t have to be complex to be secure.
Fiction. A long password made up of consecutive words that are typically used together is no more secure than the most common singular words used in passwords. As an aside, research shows that “Red” is the most common color used in a password and “Batman” is the most common superhero. These facts contribute to the way hackers crack passwords made up of these commonly-used words. The bad guys use databases of commonly used words and numbers called a Rainbow Table, to cycle through all possible plaintext permutations of encrypted passwords to compare with stolen password hashes. Anything you can think of easily can be effortlessly cracked using this method. When it comes to passwords – complexity and randomness (aka entropy) is quite literally the key; the first letters of a song you like, an usual mix of upper and lowercase letters, mix that with some random numbers and you are good. Remember – if it’s easy to say and remember, it’s almost always a bad password.
Fact or Fiction? Using a password generator ensures a strong password.
Fiction. For the most part, password generators work since they easily create complex and unusual passwords. But remember – when choosing a password generator, make sure it’s provided by a trusted source. Recently, there was a free password generator app offered on iPhone that was analyzed by the security community. It was found that the random number generation scheme used by this app was anything but random. Look for tools that are open source or highly recommended by trusted sources and already being used by security practitioners.
Fact or Fiction? I can use a weaker password if I use multi-factor authentication.
Fact. Again… sort of. It’s all about finding the balance between convenience and control. If you’re using rock-solid multifactor authentication – and it’s deployed properly – then you may still be protected with a password that’s easier to remember. But, why wouldn’t you make sure that everything is strong? A multi-layered approach to security is always a good idea – but why wouldn’t you make each of those layers are as strong as possible? I would say: go for both.
Fact or Fiction? The password is dead.
Fiction. Like I said above – a multi-layered approach to security is always best. Passwords aren’t going away anytime soon, so taking advantage of the full spectrum of password tools and best practices will only benefit you. Use stronger passwords, use layered multifactor authentication and, if you have the budget and the time, use biometrics. Multi-layered security is always in your best interest. But until every application and every system has moved off the password path, it’s critically important that we appropriately manage them.
Today, on World Password Day, we hope you take the opportunity to reflect on your own password behaviors and take action to nix those bad habits in favor of good password strategies.