24 Hour Support: 888.705.0999

Media Center

Resources and Guides - Securing Knowledge

Strong Password Security

The Do’s and Don’ts of Password Security

Strong passwords are just good common sense, like locking the doors when you leave the house. Secure password management is the electronic equivalent of not leaving your key under the mat.

The following excerpt from a BBC broadcast transcript reveals the extent of the potential threat posed by weak password security.

From Spencer Kelly's interview of Gary McKinnon, a British hacker arrested by the UK's national high-tech crime unit and accused of hacking into NASA and US military networks

Spencer Kelly (SK): Here's your list of charges: you hacked into the Army, the Navy, the Air Force, the Department of Defense, and NASA, amongst other things… How did you go about trying to find the stuff you were looking for in NASA, in the Department of Defense?

Gary McKinnon (GM): Unlike the press would have you believe, it wasn't very clever. I searched for blank passwords, I wrote a tiny Perl script that tied together other people's programs that search for blank passwords, so you could scan 65,000 machines in just over eight minutes.

SK: So you're saying that you found computers which had a high-ranking status, administrator status, which hadn't had their passwords set — they were still set to default?

GM: Yes, precisely… there were no lines of defense. There was a permanent tenancy of foreign hackers. You could run a command when you were on the machine that showed connections from all over the world, check the IP address to see if it was another military base or whatever, and it wasn't.

The General Accounting Office in America has again published another damning report saying that federal security is very, very poor.

SK: Over what kind of period were you hacking into these computers? Was it a one-time only, or for the course of a week?

GM: Oh no, it was a couple of years.

SK: And you went unnoticed for a couple of years?

GM: Oh yes.

This dramatic example of compromised national security illustrates the vulnerability of online data and the importance of protecting sensitive information with strong passwords. The stakes are high: homeland security, intellectual property, and our very identities are at risk. According to a recent survey conducted by Consumer Reports National Research Center, more than half of US adults have 6 or more online accounts protected by passwords. The same survey revealed that many of those passwords fail to meet basic standards for a strong password.

  • Four elements of strong passwords: Length, Complexity, Variation, Variety.
  • Secure password storage is as important as password strength.

Password Do’s and Don’ts

Microsoft identifies four primary indicators of the strength of a password: length, complexity, variation and variety.

  • Length. Include at least 8 characters in passwords. "Longer, stronger" is a good rule of thumb. According to Consumer Reports, 29% of people surveyed use 7 characters or less in their passwords.
  • Complexity. Combine upper and lower case letters, symbols, punctuation, and numbers. Use characters from all over the keyboard, not just those most commonly used.
  • Variation. Change passwords on a regular basis. Set automatic reminders to ensure that new passwords for email, banking, and credit cards are created approximately every 3 months.
  • Variety. Use different passwords for every online account. Passwords should be unique. Consumer Reports found that 20% of people surveyed used the same password for 5+ accounts.

Experts specifically advise against the following common password practices:

  • Don't include personal information, e.g., real name, user name, company name, email address, child's name, birthday, drivers license number, or any favorites that could be found on a social networking site. (32% of people surveyed by Consumer Reports used personal information in their passwords.)
  • Don't use words from the dictionary (any language).
  • Don't spell words backward, abbreviate, or use common misspellings.
  • Don't start the password with an upper case first letter if it's the only upper case letter.
  • Don't use sequences like 12345678, repeated numbers like 555555555 or adjacent keys on keyboard like qwerty.
  • Don't change passwords only slightly from previous passwords (password1, password2, password3).

Tips for Creating Strong Passwords

  • Start with a sentence or phrase that is hard to guess but easy to remember. Remove the spaces. Experiment with abbreviating words, misspelling them in unusual ways, or using only the first letter from each word. Add meaningful numbers and symbols. Change case of letters randomly.
    • Example: from “Longer passwords are stronger” to 1LngP=strgp!l
    • Example: from “I am happy to be secure” to iam:)2Bcqr
    • Use the keyboard to create shapes – like a V, W or triangle that you can move over when you need to change passwords

Use a password checker to verify the strength of your password. The URL for Microsoft's password checker is
https://www.microsoft.com/security/pc-security/password-checker.aspx.

Password Storage

The following storage practices should be avoided.

  • keeping a written list of passwords in a phone book, laptop bag, desk drawer, under keyboard, under your calendar, in the freezer, or taped to the bottom of your laptop
  • saving passwords in an unencrypted/unprotected file on your laptop or PDA
  • saving passwords in a file titled "Passwords"
  • saving passwords on your phone (our in-house team was able to decipher a simple 4-digit weak password on a smartphone in just 15 minutes)

An encrypted flash drive is a secure password storage option many people use. There are also many password management services and applications available for a small monthly fee or for free.

Issues to keep in mind as you consider password management tools are whether the product includes a password generator tool, whether the product works across multiple browsers and syncs across multiple PCs, and whether passwords are accessible through the Internet/smartphones.

USA's Director of Computer Forensics, Jesus F. Peña, CCFT-Advanced, says, "On the corporate front, strong password policies are key to protecting company assets. These password policies should be deployed and enforced by the network operating systems, and weak credentials should be impossible for a user to register. Password strength policies are core audit points in any IT vulnerability assessment." Peña has provided computer forensic services and support to such federal agencies as the Federal Trade Commission and the Federal Bureau of Investigation. He has also served as an expert witness in the areas of computer forensics, firewall forensics, and LAN/WAN security in various jurisdictions.

On the personal front, the increase in identify theft and fraud over the past decade makes strong passwords just good common sense, like locking the doors when you leave the house. Secure password management is the electronic equivalent of not leaving your key under the mat.

Strong passwords are just good common sense, like locking the doors when you leave the house. Secure password management is the electronic equivalent of not leaving your key under the mat.

About U.S. Security Associates

U.S. Security Associates (USA) is one of North America's largest security companies, with 160 locally-responsive offices providing premier national security services and global consulting and investigations to customers in a range of industries. Recognized for world class customer service, leading-edge technology, and an enterprise approach to risk management, USA offers optimized security solutions to meet specific customer needs. USA is committed to building quality security and risk management programs that are Safe. Secure. Friendly.® The Securing Knowledge series is part of the extensive and growing library of reference and training tools that contribute to USA's award-winning customer service and benchmark security programs. USA's investment in training and development resources is reflected not only by BEST Awards from the American Society for Training & Development, consistent ranking on the Training magazine Top 125, and technology-driven quality management system, but also by the company's leadership team, security officers, and service excellence on a daily basis.





©2017 U.S. Security Associates