May 2023 – CPST: Safe Password Practices
Created by: Thom Way – IT Support/ Cyber Security Intern
Why are Password Practices Important?
As all of you are aware passwords are the most basic form of security we have in our arsenal. However, the way passwords are created and employed in the protection of information can often be a weak point.
Passwords work in the same way locks do in the physical world. Oftentimes, a simple padlock is enough to protect most everyday valuables you have, the effort a would-be thief must put in to steal the item is less than the value of the object. In the case of high-value items more security is needed, think of banks and armored cars, holding and transporting valuables. These higher-value targets need more deterrents to make the cost of even trying to steal from them too high to justify. Why should passwords be any different?
What are Bad Password Practices?
Password Overuse
The struggle most people face when creating and using passwords is striking a balance between security and usability. A secure password is no good if the user can’t remember it but if the password is too easy to remember then it is also easier to guess. The solution most people come up with is using a semi-complex password for everything. This is a VERY high-risk strategy, making it difficult to guess the password while making the prize all or nothing. This strategy should not be used, especially if the password is used for personal use as well as that just leads to more potential breaches in security.
Password Storage
When most people think of storing passwords two things come to mind, post-it notes and password storage software. Each of these methods has advantages and disadvantages and CAN be used if security concerns are taken into consideration.
Physical storage of passwords has been done forever, it’s simple and efficient to have a hard-to-remember phrase written down to ease the burden of remembering such a sparsely used item. The advantage of physical password storage is in the name, its physical meaning it is completely disconnected from cyberspace preventing leaks or hacks from taking place. The problem with physical password storage comes from the incorrect storage of physical notes. Passwords that are written down can get lost in files, have pictures taken of them, be left at one place and be inaccessible in another, or be seen by anyone who decides to take a slightly closer look at your desk. To be used safely physical passwords require physical security, place them in a lock box, in a wallet, or any other form of personal document system that is inaccessible to anyone but you.
Password storage software has become popular in recent years, due to the need for higher security online. The main advantages of this software it the ability to be accessed anywhere while also being able to store hundreds of complex passwords. Password software is very useful when it can be TRUSTED. The main problem with this software is twofold, the first problem is that the software is online making it subject to online attacks trying to steal passwords for profit. The second problem with this software is the human factor. Referring back to the overuse of semi-complex passwords, most people have a “universal” password used for general use, if this general password is used it leads to all the passwords in the database of the software being vulnerable to more leaks from other websites.
Password Sharing
Many passwords are used by many people all over the office, passwords like the Wi-Fi password, domain logins, etc.. This leads to the mindset that sharing usernames and passwords is “No Big Deal”. This is a false mindset, usernames and password should never be shared with anyone unless expressly requested for an exact purpose by a known and trusted individual. This is as much for individual protection as well as for company protection, as the use of a specific username and password used for nefarious or damaging deeds can be traced back to the original user of the account.
How Should Passwords Be Used?
- Don’t Overuse Passwords
When creating a password, make sure it is made for that purpose. Never use the same password twice when it can be avoided.
If you need to use a password more than once keep its use limited to a select group of systems
Non-vital systems should never share passwords with critical systems, you wouldn’t use the same key to open the door to a bank’s restroom and the main vault, why do the same thing for passwords?
2. Store Passwords Safely
With all the passwords you have it’ll be a pain to remember all of them, save yourself the hassle without compromising security, and store them somewhere.
If it is online or in person, your passwords are expected to be secure at all times. For online software, this means picking a trusted company and having a strong password to the software itself, the strongest of walls means noting if the gate is left open. As for physical passwords, take the time to keep them secure by finding a place that is only accessible to you, cannot be seen without your consent and, if necessary, can be moved with you from location to location.
3. Don’t Share Passwords
Passwords are private things, until they aren’t, once a password is compromised it becomes a race to fix the issue. The phrase “loose lips sink ships” was created to prevent cargo ships from being sunk by lurking wolfpacks of U-boats. For us, the U-boats are scammers and those participating in corporate espionage. The phrase “loose lips can cost us millions of dollars” is more accurate. (it doesn’t have that ring to it though, does it?)
Keep our corporate ship from being sunk by keeping your passwords to yourself. If someone needs a password, they should already have it. Only give passwords out to trusted individuals you know and trust and be sure to notify someone that this person now has this password.
4. Don’t Simplify Passwords
Passwords should be relatively complex.
Be sure to avoid spelling actual words or common phrases with normal letters. Use characters such as ( !, @, #, $, %, *, ? ) in place of letters. Include numbers as well. The less it looks like English the better.
5. Use the Proper Level of Force
Do houses have 15-meter walls made of stone with guard towers and iron gates? No, why is that? Because you’re not expecting to be besieged by an invading army. Do you use a claw hammer to break down a wall? No, you use a sledgehammer. The point here is that there is a proper level of force to be used when creating a password.
Not every password needs to be 20 characters long and written in three different languages. Creating strong and well-thought-out passwords takes time, don’t waste yours by making all passwords the same level of complexity. Identify what level of security is needed for the password and fit the level of complexity to it.
6. Update Passwords
When locks get rusty and weak people don’t just shrug and keep it, no they replace the lock with a new shiny one. Passwords are no different, the environment around cybersecurity is always evolving in a never-ending battle between attack and defense making passwords that were great a few years ago obsolete and dated.
The only way to combat this virtual rust is to use a new lock. Creating unique passwords frequently will help ensure that if a password is leaked with old data, that it does not lead to a breach. Passwords that are used daily are recommended to be changed monthly. Lesser used passwords should be changed every three months or so.
Passwords are important tools in the protection of data, don’t let them get rusty and fall apart on you!
Thank you,
Tamara Lauterbach
Information Security Officer