Top Tips On Creating And Managing Passwords

20/08/2018

As we are discussing all things security this month we thought we would tackle the topic of secure passwords. With the increase in password use, mainly down to the surge in online services, it has never been more important to be in control of your password security. Unfortunately, as time has ticked by the need for more complex passwords has increased placing an unrealistic demand on the user. To cope with this IT users are known to re-use passwords across multiple sites and systems along with writing passwords down. You certainly don’t want to be sticking it on a ‘post-it’ and onto your computer screen!

There are many techniques that attackers may use to crack your password. These can include phishing, dictionary attack, brute force attack, rainbow table attack, social engineering, malware, offline cracking and shoulder surfing.

Fear not! We have some handy tips and advice on ensuring your passwords are secure and your SME’s data is kept safe.

Tip One

Change all default passwords!

This can include passwords used on any system or software in particular devices such as routers, wireless access points and firewalls. Make regular checks of system devices and software to make sure any unchanged default passwords have not slipped through the net!

Tip Two

Help staff cope with password overload.

Many users have lots of passwords to remember not just those used for work. Help users by only implementing passwords for systems and services that need to remain secure. To support users, allow passwords to be securely recorded and stored. Storage can be physical, like a secure cabinet, or technical, such as a password management software. Remember though, like any piece of security software, they are not impregnable and can be an attractive target for hackers. Passwords should only need to be changed when there is suspicion that security has been compromised. If so the process of resetting a password should be quick and easy. Users should be discouraged from sharing passwords and where absolutely necessary you should consider alternate access control mechanisms such as presentation of a hardware token, for example an RFID badge.

Tip Three

Understand the limitations of user-generated and machine-generated passwords.

Your SME should have strong enough defences in place so simpler password polices can be used. Keep your users security savvy with good training and encourage them not to use predictable passwords such as important dates and pet names. Discourage users from re-using passwords especially ones they use at home. Their passwords protect some of your SMEs most important assets!

But what is a strong password? A strong password is something that is not easy to guess; it will have a mixture of upper and lower case letters as well as numbers and other symbols. You can make these passwords easy to remember by combining words in a way that means something to you:

A basic password would be something like – england

A better password might be – England66

A strong password might be – England66WorldCup%

There is also the option to use a machine-generated scheme. It is recommended to choose a scheme that creates passwords that are easier to remember and offers users a choice of passwords to enable them to select one they can remember. The main advantage of these schemes is that they can create random passwords. This would mean it would take time to crack using a brute force attack.

If you are having a hard time coming up with a strong password then why not ask a dinosaur? www.dinopass.com is a simple password generation website that will create you a strong password that should be easy to remember.

Tip Four

Prioritise administrator and remote user accounts

It is recommended that extra security protection is given to administrators, remote users and mobile devises. These users may have highly privileged access to your data and could open up a wider threat to the system if compromised. It is advised that administrators should use different passwords for their administrative and non-administrative accounts, no default administrator passwords should be used and regular access is not granted to standard users. To further secure your SME’s data consider using two factor authentication for all remote users.

Tip Five

Use account lockout and protective monitoring

Password systems can be configured to only allow the user a limited number of login attempts before they are locked out of the system. A process of ‘Throttling’ can also be implemented that adds a time delay between successive login attempts. If using a lockout process, it is recommended that users have around 10 login attempts before their account is frozen. To further protect your data, it advised that you use protective monitoring which detects and alerts the presence of abnormal behaviour.

Tip Six

Don’t store passwords as plain text

Passwords should never be stored as plain text, even if stored on a protective system. You can store passwords in a hashed format, produced using a cryptographic function capable of multiple iterations. Files containing these passwords should be protected from unauthorised system or user access. When implementing password solutions be sure to use public standards, such as PBKDF2 which use multiple iterated hashes.

Sources:

https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

NCI Technologies assumes no responsibility or liability for any errors or omissions in the content of this site. The information contained in this site is provided on an “as is” basis with no guarantees of completeness, accuracy, usefulness or timeliness.

BACK