CURRENT ARTICLE:  Embrace a Powerful Password Paradigm
NEXT ARTICLE:   Ten Steps to China SEO Success

Embrace a Powerful Password Paradigm

S.R. Schroeder // Last Updated: 07 October 2021

Greetings! Nearly everything we need to secure includes some password protection, so it’s critical to get it right.

It’s especially true in the workplace, where a simple password can be the only thing standing in the way of malicious hackers and your company’s valuable data.

Now, everyone knows this, right? Well, if all the preventable hacks across the net at companies big and small caused by password breaches are any indication, we think not everyone takes it seriously enough. 

There is a lot of detrimental, procrastinating reasoning like “why would anyone want to hack my account, no one cares about little old me.” or “how could they crack my password, when they only get three tries?”

We’ll point out all the holes in these reasonings here today and show you how without too much effort (we’ll actually make your life easier and safer!) you can get it right.

 

 

Alright let’s start at the top with point #1:

  1. Password manager. Both as an individual you need to use one and companies should absolutely use them as well. Why?
    • Enables using many more unique and stronger passwords than you can remember
    • Enables sharing needed passwords among teams in case someone goes missing. This is important in your personal life as well, consider a family account so critical information can be accessed in case of an emergency or someone’s untimely demise.
    • Qualities of a good password manager:
      • Account management: rights, groups, access levels, access logging
      • Different entry types: i.e., secure notes or browser-based logins
      • Encrypts stored passwords and backs them up well
      • From a reputable group, you’re giving them a lot of trust
    • Don’t Forget!
      • Make that main login to the password manager extra secure and probably write it down somewhere safe, but where it won’t be easily found by others.
      • Consider using multiple password managers in case of failure, as this is now a single access point.
  2. Strong and Unique Passwords. Why?
    • Prevents hacking. Shorter the password, the easier to crack it.
    • Qualities of a strong password
      • Long, not overusing dictionary words or guessable info, using multiple character types
      • Don’t use easy to guess or publicly available info, etc.
    • Qualities of a unique password
      • Different from your other passwords, obviously, but not just by one character like appending a number to the end of it like “mygreatpassword” and then “mygreatpassword2” - not good enough, they need to be emphatically unique
  3. Change Default Usernames like “Admin” or “Root” on devices and services like routers, servers, admin panels for things like website CMS’s. Why?
    • Makes the hackers job that bit extra hard, they have to get the username and the password
  4. Change Default Passwords on things like routers and printers and more.
    Why?
    • Just like the above, many devices ship with default settings, they need to be changed
  5. Don’t Save Passwords to Sensitive Sites or Services in your Browser Why?
    • If someone gets access to your workstation, and opens your browser, they get access to any of these accounts. It makes it too easy
    • This browser storage of your password could be hacked someday, it’s a point of weakness
    • So like we say, it’s ok maybe for not-so-sensitive sites, like a newspaper you’re subscribed to, for example. But don’t do it for anything where payments can occur, financial info is stored, or even your social media, which can be used as a launch point for further attacks against you or others. So nothing of value or potential use as leverage for example, like your email.
  6. Don’t Send Passwords in Clear Text in Emails or Chat apps Why?
    • Hackers who hack yours or the recipient's email or chat application can scan your conversations for such passwords and then whatever account was discussed is hacked.
    • Solution - use a temporary, hidden sharing link system like Bitwarden Share
    • Follow up - when you receive a password - change it to a strong password immediately. So if the communication method used to give it to you is hacked that password the hacker finds is no longer valid.
  7. Change Old Passwords
    • So now you know, and you’ll never make a weak password again, and hopefully you and your company will use a password manager, yay!
    • But don’t be complacent, be thorough and change all those old passwords that aren’t as secure. Remember “a bad apple will spoil the bunch” and your security is only as strong as the weakest link - so get everything updated.

 

Related Points:

A lot of security concerns sit parallel to password usage. Keep these in mind:

  1. Use Multi-factor authentication
    • Don’t let the password do all the work alone, as it’s a single point of failure. Use MFA whenever available (and if not, request it, if it’s an internal company IT service they can try to implement it - contact us as SEIRIM and we can help do it)
  2. Use Security Keys like YubiKey 
    • It’s like a physical MFA solution that needs to be present with your device for access to accounts.
  3. Don’t fall for Phishing attacks
    • The easiest way to hack a password is to trick a user into giving it to you. Don’t click on suspicious links or files (and keep that bar of skepticism of links very high) that lead you somewhere to enter a password or anything similar.
  4. Always Check to Make Sure the Sites you’re Accessing are Secure
    • Check the url carefully where you are entering your login credentials, sites can be and are spoofed
    • Make sure HTTPS is active
    • Make sure no one is looking over your shoulder
  5. Sign out of sensitive sites when done using them
    • Don’t just close the browser so it’s easy for you to already be logged in when you re-open that website - you make it easy for the hacker as well.
    • Physically hit the “Log out” button to cancel out this session. This also invalidates the session keys that were active up until that point a hacker could use to spoof you
  6. If Asked for Security Questions
    • Power up your Password Manager, and make your answers to the questions ones more complex than just a simple answer that someone could research and figure out from public information about you.
    • Basically make your answers like extra passwords themselves. For example, if your mother’s maiden name is “Smith”, answer “Smith$%@K” and store the answers in your manager.  
  7. Don’t Forget about your Mobile Devices
    • It’s an attack vector that may already be “signed in” to many important services
    • Be wary of suspicious applications, delete any unused apps, sign out of sensitive sites and apps when you can, and make sure your device is always locked.
    • You can also add another locked layer for access to sensitive apps, for example on iPhone and Android or another Android instructional here
  8. Use a VPN, especially on Insecure Networks like WiFi in a Public Space
    • Use a trustworthy provider, and your connection will be guarded by an extra tunnel layer
    • This is important because wifi access points can be spoofed by hackers, and they can do man in the middle attacks to steal your login credentials
  9. Do not ‘Overly’ use Single Sign On (SSO) options
    • Many services give you the option to sign in via your Google, LinkedIn, Twitter, Facebook accounts or similar. We think it’s best to avoid granting such access far and wide as you are creating more points of connection and access to your account, and for those SSO providers into your activity, which could later be breached. Read more on the issue Single Sign On Considerations.

 

 

 

 

Corporate Environment Password Considerations


The IT and Cybersecurity department’s perspectives aren’t the main focus of this article, but it’s good for everyone to be aware of these points. Best practices for passwords have evolved, including very recently. Take note of these latest thinkings:

  1. Requiring password changes very often, like every month or 90 days is now considered to be counterproductive because it encourages password reuse.
    • By requiring new passwords all the time, it makes them harder to remember, so people default to using simpler passwords (bad) and variations of their current password carried over into the next iteration like “mygreatpassword4” which hackers can guess if they get access to the old password.
  2. Push for longer, more complex passwords, but password length is more important than complexity.
    • The longer the password the stronger, all else considered, aim for 12 or 15 characters as a minimum.
    • The more character types the better is still true, so try to require at least 3 among the types of uppercase, lowercase, numbers and symbols.
    • Cautionary note: requiring too much complexity can break many people’s personal easy-to-remember systems, increasing the risk they may have to create a password they can’t remember
    • Currently, many think that just using many, seemingly random words or a strange,uncommon sentence, plus mixing in some character types is the best way to achieve a long password that is also possible to remember
  3. Use a Password History Check Service
    • To check if user’s submitted passwords are vulnerable or already previously hacked
    • At SEIRIM when we build web applications, we implement a service that automatically checks if a user’s submitted password has been involved in a data breach to keep them from using it.
  4. If you’re storing passwords for any reason
    • Make sure to use strong hashing algorithm
    • Salt (and even pepper!) the passwords to make cracking a collection of hashed passwords exponentially more difficult and defeat the use of rainbow tables
    • For more in-depth information check out OWASP here: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html but long story short this is very, very important.
  5. Just in case, we’ll mention it - If you’re accepting passwords and any other info via forms, make sure you are conducting Input Validation to sanitize any attempted attacks via their fields.

Conclusion

Ok so that wraps it up! Even if you’re a simple humble user, please know that you are not immune to hackers’ attention, they want access to any and all accounts even as stepping stones to more information and bigger fish. And attacks are automated, so it can be just malicious scripts crawling towards your accounts.

Stay one step ahead of these malicious actors with strong, unique, and well protected passwords that are well backed up and redundant.

If you need help with your security, can contact the cybersecurity professionals at SEIRIM for support.

ABOUT THE AUTHOR

S.R.
Schroeder

Founder of Seirim, S.R. focuses on the art and science of web design, cybersecurity and web development tech to help keep driving SEIRIM's projects and abilities forward.

RECENTLY

Ten Steps to China SEO Success

Gather a new perspective, tools and methodology.

Embrace a Powerful Password Paradigm

Better security is within reach!

SEIRIM Named one of worlds top 250 Managed Security Service Providers

Honored to be recognized for MSSP cybersecurity work

Hot New China Websites

Great websites recently launched for the Chinese audience

Open Source Cybersecurity

Check the open source options first to save your company money!

Awesome New Videos by SEIRIM!

Check out these amazing videos by our team!