Cybersecurity Best Practice: Password Management

Recently, the founder of QuadrigaCX, Canada’s largest cryptocurrency exchange, unexpectedly passed away. Being the only person with the password to access an encrypted USB key that served as cold storage for the funds, roughly 115,000 clients were unable to retrieve $190 million in holdings.

While this scenario—which is still playing out—is a rare and somewhat bizarre occurrence, it highlights one of several risks regarding password management and policies among users and organizations. While entrusting the password to only 1 person may seem a secure practice, that doesn’t mean it’s the best practice for organizations holding customer data and/or funds.

Ever since the early days of computing, password management has been one of the most crucial aspects of information security. If passwords happened to fall into the wrong hands, critical data could be compromised, funds stolen, and entire networks put in jeopardy. However, most users view passwords as a necessary nuisance and don’t take password security as seriously as they should.

This installment of our cybersecurity best practice series will look at password management best practices for users and organizations alike.

Dangers of weak passwords

When developing a password, most people choose something easy to remember that meets the bare minimum password requirements—their spouse’s birthday, the name of their pet, a favorite cartoon character, and so on—or simply use an iteration of the same password across multiple accounts. Some even choose the first word they see in front of them. The issue with this practice is that, given a decent amount of time, social engineering tactics, and the right tools, a malicious individual can easily guess them.

For as long as there have been passwords in the digital realm there have been password crackers; these tools are available through open source security suites or even the black market. They can rapidly run through a large set of possible character combinations or commonly used passwords in order to gain access to user accounts.

Simple attack tools include:

  • Dictionary attacks use dictionary words and common passwords
  • Rainbow tables are used to quickly crack hashed passwords
  • Brute force powers through every combination of characters looking to find a match

Weak passwords (i.e., those that consist of common words or phrases that can be associated with the account’s owner) can easily be compromised by hacking tools. Some tools even accept personal data as inputs to narrow down the list of possible passwords.

Not even the strong are safe

So, if you just avoid weak passwords that will keep your accounts safe, right? If only it were that easy. Unfortunately, even strong passwords can be compromised. Certain types of malware known as keyloggers and form grabbers can record keystrokes (some even in video format) or capture entries from a web form and send the acquired information back to the threat actor.

The most effective method modern cybercriminals have at their disposal to ascertain users’ passwords is phishing attacks. They dupe victims into entering their login credentials into malicious online forms and landing pages that closely resemble those of legitimate organizations. Since the email is typically crafted with urgency, noting something along the lines of, “Due to the recent data breach on our system, you need to reset your password,” most victims unwittingly provide the information requested, essentially handing over their credentials to threat actors.

Weak or strong, it may seem like there’s no way to craft a perfect password to secure your information. Fortunately, though, there are ways to use a password while reducing the likelihood of your account being compromised.

Best practice tips for securing passwords

Passwords are oftentimes the first line of defense guarding critical data. Whether or not cybercriminals are using malicious tools and tactics to gain access to your password, there are some simple ways to strengthen the security safeguarding your information. Here are some suggestions:

Avoid weak and overcomplicated passwords

This may seem like a no-brainer. If attackers are going to take advantage of weak passwords, then you must avoid them, right? You can start by staying away from short and overcomplicated passwords. The shorter your password is, the easier it will be to crack. However, overcomplicated passwords consisting of random letters, numbers, and symbols strung together aren’t necessarily more secure and make passwords easy to forget and lead to security shortcuts like writing them down near your desk.

One way to craft a password of reasonable length and still be able to remember it is to use a passphrase instead of just a password. For example, the phrase “The dog is sleeping” is 16 characters but is not difficult to remember. If you can incorporate special characters or numbers into the phrase (i.e., Th3D@g!s51eep!ng), it becomes stronger and still easy to remember.

Avoid using information that can be associated with the user

As previously mentioned, some password hacking tools accept a target’s personal information (i.e., your birthday, anniversary, name, pet’s name, etc.) to narrow down the list of potential passwords for that target. Because these pieces of information can be obtained from social media or other social engineering attacks, it would be best to avoid them.

Never share accounts and passwords with other users

To save money some organizations have the tendency to share accounts and passwords across multiple users. This can be a big problem because if an employee leaves the company they can still easily access the account from another device. Additionally, for regulated industries, password sharing is considered a violation in data security and privacy regulations.

Don’t reuse passwords

There’s a password associated with every account you have—email, social media platforms, bank accounts, retail sites, medical portals, etc. All these accounts require login credentials.

To simplify and keep track of multiple login credentials, people often use the same password repeatedly. The problem with this practice is that if one of these accounts is compromised in a data breach, all the users other accounts become vulnerable as well. Following the LinkedIn breach many affected users saw additional account theft because they had used their LinkedIn passwords across multiple services.

Use password managers

One way to encourage users to adhere to password policies without giving them undue stress is by employing a password manager. Services such as LastPass, Keychain Access, and 1Password allow users to maintain several different passwords (all long and strong) for each account and only need to remember 1 master password.

Reinforce passwords with 2-factor authentication

These days, passwords alone are usually not strong enough security. Companies like Google, Facebook, and even online banks now employ 2-factor or multi-factor authentication. To make your accounts more resistant to masquerade, brute force, and dictionary attacks, as well as keyloggers, form grabbers, and phishing emails, you should combine password security with another authentication factor like an SMS message, a private key, a token, or a one-time password. That way, if someone gets a hold of your password they still won’t be able to log in to your account.

For the past 5 years, the top 2 most commonly used passwords have been “12345” and “password.” As you can probably guess, these are weak and likely lead many cybercriminals to gold mines.

A strong password or policy should certainly not be your only security measure against threat actors. However, as previously mentioned, it’s often the first line of defense and often the most trivial to circumvent. Creating strong passwords that can be recalled or decent ones that can be combined with multi-factor authentication will help keep your data and other assets out of the wrong hands.

Stay tuned as we continue our cybersecurity best practices series to help your organization build a stronger cybersecurity posture.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals