What is a password, and why do we have them?
A password is defined as “a memorised secret, typically a string of characters, usually used to confirm a user’s identity”.
This is important to IT systems, and to cyber security: while human beings have lots of different ways of identifying someone and consequently whether to trust them with something, computers and IT systems only usually have the information that we provide to them.
There are five main steps or processes involved in accessing a system with security in place:
- Identification: the user claims an identity (e.g. a username); the identity is commonly public information, like an email address (e.g. when accessing an email account).
- Authentication: the system asks for proof that the user is who they say they are; this is private, and is where the password (“memorised secret”) is used.
These two steps provide access to a basic system; in more complex systems, however, there are three further steps:
- Authorisation: the system checks whether the authenticated identity has permission to access the resources it is requesting access to.
- Auditing: the system records or logs the various activities taking place in relation to access attempts by users to resources.
- Accounting: the process of reviewing the records or logs for compliance, and holding users accountable for their actions.
The password, therefore, is an ‘authentication’ element, and the most widely used one.
The key things to do to create a good password
There are only really two main parts to choosing a strong password:
- Length: one of the two main variables in password strength; the longer the password, the more difficult it will be to crack. For example, it is estimated that an eight character password made up of upper and lower case letters can be ‘cracked’ in 22 minutes. Simply adding two more characters increases the time to a month.
- Complexity: the other main variable in password strength; adding ‘complexity’ (i.e. letters in lower and upper cases, numbers, and symbols) makes a password more difficult to crack. For example, it is estimated that an eight character password made up of just lower case letters can be cracked in 5 seconds. An eight character password of upper and lower case letters, numbers and symbols would take 8 hours to crack.
Combining length and complexity is usually the best approach. A password of upper and lower case letters, numbers and symbols, but with ten characters rather than eight would take five years to crack.
There’s a handy table at the Hive Systems password page that you can use to estimate how long it would take a computer to crack your password.
The key things to avoid when it comes to passwords
Some of this may be common sense, and repeats guidance that has been around for some time. However, these are still the key points to remember when it comes to good password use:
- Don’t share your password with others. A password is a memorised secret, and it is important to keep it secret for it to do its job properly.
- Don’t use the same password on different systems. It’s important not to use the same password for multiple different accounts or systems; if one is compromised, they can all be (sometimes quite easily) accessed by an attacker.
- Don’t use an obvious password that is very easy to guess. Check the Wikipedia list of the most common passwords to make sure you’re not using any!
- Don’t use information that’s easy for someone else to discover (e.g. on social media), including:
- any part of your name, email address, phone number
- family members or pets names
- place of birth, or favourite places
- words related to your main interests (e.g. favourite sports team)
A further point re: 2 above. It’s really important that you use a different password for your email accounts. If an attacker gets access to your email account, they may be able to find information about various other accounts you have from emails the companies have sent you, and they may be able to use the password reset function to get access to these accounts too.
Creating and maintaining good passwords
Fortunately, there are numerous things that can be done to strengthen passwords, and to maintain and use them securely.
Use a passphrase
A passphrase is a sequence of words used in place of a password; the longer a password is, the better (generally speaking), and given that a passphrase is usually longer (being more than one word), it can improve security.
The NCSC advise using three random words to create a passphrase, and adding numbers and symbols if needed or desired, for example ‘3redhousemonkeys27!’
There are differing views across the industry on the efficacy of this, much of which is based on the issue that too much ‘complexity’ in a password can lead to the password being written down somewhere. The reality though is that many systems require complexity as part of their password policy, so it makes sense to adopt it.
There are two main elements:
- Use of upper and lower case letters, which can be non-standard capitalisation (and spelling), e.g. ‘stRongsecuRitee’ instead of ‘strongsecurity’; and
- Replacement of letters with special characters and numbers, e.g. ‘stR0ng$ecuR1tee’ instead of ‘strongsecurity’.
Use a password manager
A password manager, which may also be called a ‘credential management system’, is a secure place in which multiple different passwords can be kept. A strong ‘master’ password is used to access the password manager, and all the different accounts (with different passwords) are kept inside.
A password manager, then, is an answer to the question of how users can cope with having loads of different passwords, all of which need to be suitably long and complex.
Some devices (e.g. smartphones) and software (e.g. web browsers) have this type of functionality, and store the various passwords on the device. There are also cloud password managers, which store the passwords on remote servers. Cloud password managers allow the use of the stored details on multiple devices, so are often seen as a more effective approach.
Of course, the important thing with a password manager is that it itself remains secure. Each of the three above use AES 256-bit encryption to encrypt stored passwords; support multi factor authentication to increase the security of access to their platform; and the providers themselves do not have knowledge of your master password.
If you need help with setting up or using a password manager, contact us by phone (01392 435803), email (email@example.com) or both.
Use a password book
The concept of writing down passwords might not initially sound like good advice, and there are risks involved.
However, if using a ‘password manager’ isn’t an option (e.g. an organisation doesn’t allow it, or you just don’t like the sound of it), it is likely to be better to use different passwords for different accounts and systems, and record them in a password book, than it is to use the same password across all accounts and systems.
Providing the password book is kept secure!
Use Multi Factor Authentication
A password is a type of authentication. Authentication types are called ‘factors’, and there are generally three:
- something you know (e.g. a password);
- something you have (e.g. a key); or
- something you are (e.g. a fingerprint).
An authentication process that uses more than one type is called ‘multi factor authentication’ (MFA).
Security experts generally agree that passwords are the weakest form of authentication. The main issue is that, where a system uses only a username and password to manage access, if the password is compromised it’s possible an attacker could get access to the whole system.
With MFA, the attacker not only needs to compromise the password, but also needs to provide whatever additional factor(s) the system requires before access is provided.
MFA solutions often use a smartphone app that authenticates the user separately before signalling to the other system to proceed with its authentication. The attacker would therefore need access to the smartphone, and be able to perform the authentication steps on the phone, as well as provide the password to the system.
If you need help with MFA, contact us by phone (01392 435803), email (firstname.lastname@example.org) or both.
Reconsider expiring passwords
In an organisation or on certain systems, this is where a password policy is in place that expires a password after a period of time (e.g. 30 days), requiring a user to choose a different one. This isn’t necessarily considered good practice any more, as the NCSC point out in their password policy guidance, because:
- the new password is often only a slight variation of the old one (e.g. incrementing a number by 1 each time it changes);
- when a password is compromised, it is usually exploited very quickly (so changing it a few days later may not achieve anything); and
- an attacker could have accessed an account but be ‘dormant’; it is likely in this case that they would observe the password change and still have access afterwards.
Passwords should, of course, be changed if there’s a suspicion they’ve been compromised. It is more beneficial to focus on that process, than on forcing expiry of passwords at regular intervals.
There are various different ways that passwords can be found by attackers, including:
- Social engineering: the process of tricking someone into divulging their password, commonly using a ‘phishing’ attack. It’s unusual for there to be a legitimate reason for you to reveal your entire password to anybody else.
- Data breaches: often very large data breaches result in millions of passwords being made available to attackers, and where someone has used the same password in multiple systems, it creates multiple vulnerabilities. You can check whether your account(s) has been compromised in a data breach at the ‘have I been pwned’ site: https://haveibeenpwned.com/
- Intercepting: this is where an attacker obtains a password during transmission across a network (i.e. during the login process) or where an attacker installs a ‘keylogger’ (software or hardware devices that collect passwords as they are entered by a user). Using secure services (e.g. checking the ‘padlock’ in the browser) and networks (e.g. taking care when using public Wi-Fi) helps to limit the scope for an attacker to steal your password in transit. Maintaining good physical security helps to prevent attackers having the access they need to install a keylogger device.
- Visual theft: an attacker observes the password, using ‘shoulder surfing’ (where the attacker watches someone entering their password and notes the keystrokes) or discovering poorly stored passwords (e.g. notes left next to a computer). Be aware of anyone close to you, particularly in public spaces, and keep any records of your passwords secure.
- Guessing: there are also various ways of obtaining a password through guesswork and ‘trial and error’, including:
- password spraying: the attacker enters (a relatively small number) passwords that are commonly used to see if any of them work;
- educated guessing: an attacker can collect (e.g. from websites and social networks) items of information (such as your name, date of birth, children’s names etc.) and create passwords to try using variations of this data; and
- brute force: the use of automated tools to attempt the use of large numbers of passwords until the correct one is found.
Following the steps in this guide will help to make these techniques more difficult and less successful for attackers and keep your data and devices secure.
What should I do if one of my accounts has been hacked?
If you suspect that one of your accounts has been attacked or breached by a cyber-criminal (for example, because settings have been changed or the provider has sent alerts advising of access attempts at unusual times or from unusual locations), the following steps will help you protect your other accounts and recover the attacked account.
- Contact IT support. Explain the basic details of the issue and ask for immediate assistance. If you use Think IT, contact us by phone (01392 435803), email (email@example.com) or both.
- Contact the service or account provider. Attempt to access your account through the service provider’s main website (avoiding using anything that the attacker may have tampered with, like shortcuts or bookmarks). If you cannot access your account, search their website for “account recovery” or “account hacked” instructions. If you’re unable to locate anything, use a Google or Bing search.
- Check your email account. When an email account is compromised, it is common for the attacker to set up rules to forward email to a different account. Again, search the service provider website or Google or Bing for information on how to check for rules, and how to remove them.
- Update your devices. Check that your devices are up to date with patches and fixes from software vendors. An attacker may attempt to compromise more of your systems using vulnerabilities that the vendors have developed patches for.
- Change passwords. How widely this is done depends on the extent of the attack, however as a minimum the passwords for all accounts of the affected users should be changed, and administrator and other system accounts should also. You need to check your email account first (step 3) to make sure any password change emails don’t get forwarded to the attacker.
- Set up a password manager. See above for more information. This makes it much easier to manage different, long and complex passwords for each service and account.
- Add multi-factor authentication (MFA). See above for more information. This makes it much more difficult for an attacker to guess your password.
- Advise your contacts. If the account that has been hacked has other people’s details (e.g. an email account or social media account), you should let them know your account has been compromised. Often hacked accounts are used to send messages to other accounts, and notifying your contacts will help them to spot communications that aren’t actually from you.
- Contact law enforcement. Call Action Fraud (0300 123 2040 or https://www.actionfraud.police.uk/) without delay, and optionally also inform local Police (in some cases, support may be available).
- Scan devices for malware. Cyber-attacks are criminal acts, and as a precaution it is sensible to check that the attack, though seemingly focussed on gaining access to one or more of your accounts, has not also attempted to infect your devices with malware.
If you need help with anything in this Insights article, contact us by phone (01392 435803), email (firstname.lastname@example.org) or both.
|AES||or Advanced Encryption Standard is an encryption specification set out by NIST (the US National Institute of Standards and Technology) and has become the industry standard for data security.|
|Attack||means a threat agent that exploits a vulnerability; an attack usually involves an attempt to obtain, alter, destroy or remove assets.|
|Cipher||means an algorithm (or set of steps that a computer will perform) that can be applied to data to encrypt it, or to encrypted data to decrypt it.|
|Compromise||means made vulnerable to Attack.|
|Cracking||means recovering or obtaining passwords from data (often encrypted or secured in some way).|
|Encrypting||or encryption is the process of converting original data (called “plaintext”) into data that cannot easily be read or used (called “ciphertext”) without authorisation (i.e. without having the key).|
|Exploit||occurs when a vulnerability is taken advantage of by an attacker.|
|Key||in cyber security terms is the secret piece of data that, when paired with the cipher, makes the encrypted data secure; without the key, it is very difficult (with strong encryption) to decipher the encrypted data.|
|Strong encryption||is an encryption method using a very large cryptographic key. Larger keys take longer to break. 256 bit encryption is considered strong encryption.|
|Threat agent||is a person (or a process) that exploits a vulnerability. Examples include employees not following procedure, or a hacker.|
|TLS||or Transport Layer Security is a communication protocol allowing communication between a client (e.g. a web browser) and a server (e.g. a web server) to be secured.|
|Vulnerability||is a weakness that allows a threat to compromise it. Examples include a wireless access point with no security, firewall ports open, or no door locks.|