January 30, 2019
Data breaches, big hacks and subsequent data theft isn’t new news yet we continue to see breaches making the headlines almost daily, so naturally we’re all becoming more and more concerned about data security.
Individually, many people now understand the importance of a strong password, but perhaps it is less well understood that weak passwords within a commercial organisation pose a significant risk to corporate data. Here’s why….
Has your email/password been exposed in a data breach?
Firstly, you can easily check if you have an account that has been compromised in a data breach. If any of your accounts have been compromised, and if the same passwords are used for home and work, this could pose a serious security threat.
The ease of exploiting weak passwords
For a hacker, exploiting weak passwords is a bread-and-butter first step to gain a foothold onto a corporate network, from which they can then further probe to seek more exploitable weaknesses.
The password-cracking capabilities of a hacker are considerable! And what’s concerning is that, trying to exploit weak or common-combination passwords is frequently successful (at least for our own ethical hackers performing a penetration test).
Not only would a hacker test common ‘weak’ password combinations (e.g. Password123; admin; 123456 etc.), they would certainly also use lists of hacked username/passwords, as well as packet sniffing to seek encrypted authentication requests, which can then be run through a list of known encrypted passwords (containing 10 billion+ passwords).
Strong password tips
But we’ve all (or should have) read the advice on what constitutes a strong password, recommendations on policy, but in reality, how can you easily remember a complex and (semi)-unique password?
Here’s a simple way to create a strong and memorable password
This simple secret is employed by many IT professionals, to deconstruct the simple art of creating a strong, (semi-) unique password – and importantly, one you can always easily remember.
> First off – never use a word found in a dictionary (or combination of)
Why? Besides what’s known as a “brute-force” attack, hackers can firstly try common password combinations (e.g. password01, Password123, Password1! etc.). And even if an account is locked after 6 or 7 attempts, it still provides a significant opportunity to crack passwords across multiple corporate accounts.
And if there is no account lockout, why not upload an entire “dictionary” of words & phrases that we know are commonly used – hundreds of thousands of entries contained in a text file.
So, we avoid anything that could be found in a dictionary, but how do find something you can also easily remember – without the need of an Enigma machine to help you?
1. Start with a memorable song, quote or phrase
Let’s take a well-known quote, for the sake of an example – “Life has no limitation, except the ones you make”. Now, take the first letter of each word from your favourite song or quote.
The highlighted letters are the first letters of each word: LHNLETOYM
This is a nonsense phrase and isn’t a dictionary word, and so makes a great start for a password – and you can easily remember it.
2. Add uppercase and lowercase letters
It can be improved further by alternating upper and lower case letters.
Again, this is simple to do and even to work out in the mind if necessary: LhNlEtOyM
3. The next steps is to add numbers
One’s year of birth is commonly used. But now reverse your year of birth put it either at the start or the end of the password: 7791LhNlEtOyM OR LhNlEtOyM7791
As it stands, this is a pretty good password. It’s a mixture of letters and numbers, with uppercase and lowercase characters thrown in too. But it doesn’t stop there, however.
4. Make it semi-unique by adding ‘special’ characters for different accounts
The last step is add ‘special’ characters, plus customise it for different uses/websites/applications, because you shouldn’t re-use the same password for different accounts.
Password re-use is rife, making it easy to compromise all of your other accounts.
It doesn’t have to be a radical re-think for each account – simply inserting an @ sign plus an abbreviation to denote the website in question makes each password semi-unique.
So for Amazon, the password would become: LhNlEtOyM7791@AZ
For eBay, the password would become: LhNlEtOyM7791@EB
So there you go – very strong password which you can figure out with relative ease!
Now, the only dilemma is which song to choose next when you need to change it. We’d recommend every 3-6 months.
We all understand the importance of a strong password. It’s the first line of defence in your organisation’s security, and should be taken as seriously as shielding your PIN number at a cashpoint.
The importance of an on-going Cyber Security Programme
Regular penetration testing, sophisticated social engineering and in-depth user awareness training are all crucial parts of an on-going cyber security assessment programme. Together, they’ll expose any weak links in your security defences, whether they be passwords, unpatched systems, misconfigured hardware or more.
Not only do you learn of your critical vulnerabilities, you can create actionable steps to make a real difference to your cyber security posture.
- What is SIEM? (Part 1): Cyber Security 101
- The latest best practice password policy
- 6 steps to a successful cyber security improvement programme
- Type of penetration test – what’s the difference?
- Pros and cons of outsourcing your cyber security: In-house or Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.