editor’s question
and reduce the risk of
suffering from a damaging
data breach.
SHANNON
SIMPSON, CYBER
SECURITY AND
COMPLIANCE
DIRECTOR AT SIX
DEGREES
T
raditional
password policies
are becoming
outdated, as
hackers step up
their efforts to
gain illicit access
to systems and data. In this age of
phishing emails, ransomware attacks
and rumoured state-sponsored hacking
regimes, the humble password is in
danger of being overlooked.
Many organisations that we speak to
set their password policies a number of
years ago and expect that semi-regular
updates and the occasional uppercase
letter to protect them from cyberattack.
The truth is that modern password
hacking techniques – fuelled by the
constant increase in processing
power available to hackers – require
organisations to do more to strengthen
their password security. Here, we
provide five best practice tips to improve
your organisation’s password security
30
Strengthen
your password
security: Best
practice tips
To understand what
makes a strong
password, we need
to look at how hackers
crack weak passwords.
Most password attacks
rely on the attacker having
access to the ‘hash’ of a user’s
password. A hash is a one-way
cryptographic function that takes the
user’s password and transforms it into
another randomised and non-human
readable string. Attackers attempt to
crack hashes by trying different inputs
into the given hashing algorithm until the
resulting hash they get matches that of
the user’s actual password.
Hackers use dictionary attacks to test a
list of words to see if the resulting hash
matches a stolen user hash. Hackers
will literally run through a dictionary
and attempt every word until they find
a match and – in case you thought
replacing an ‘e’ with a ‘3’ or an ‘o’ with
a ‘0’ would foil them – they use word
In this age of
phishing emails,
ransomware attacks
and rumoured
state-sponsored
hacking regimes, the
humble password is
in danger of being
overlooked.
mangling algorithms to ensure that these
common substitutions are accounted for.
So how can your organisation
strengthen its password security? By
learning the lessons from how hackers
attempt to crack passwords:
Use passphrases, not passwords.
Passwords are relatively easy to hack, no
matter how many numbers and symbols
are substituted for letters. Consider
implementing passphrases: ‘luxury
dinosaur astronomy mountain’ is unlikely
to appear in a hacker’s dictionary.
Apply the same rule to everyone. We
often speak to organisations who have
special rules for senior executives. Just
because your CEO doesn’t want to
remember a complex password doesn’t
mean they should be allowed to remain a
security risk.
Education, education, education.
Teach your users how to create strong
passwords. Always use lowercase
and uppercase letters, numbers and
symbols and if you struggle to convince
users to set passwords with at least 12
characters, compromise with 10.
Utilise a password management
tool. It’s best practice to never use the
same password twice. But how can
your users be expected to memorise so
many complex passphrases? Password
management tools store passphrases in
a secure, encrypted manner – perfect
for users who access multiple different
systems each day.
Implement multi-factor authentication.
Passphrases alone may not be
enough. By implementing multi-factor
authentication, you can ensure that
hackers are unable to gain illicit access
to systems and data, even if they
manage to hack your passphrase.
The threats posed to organisations
by hackers have never been greater.
Fortunately, if you apply a robust
password policy you can significantly
strengthen your password security
and reduce the risk of suffering from a
damaging cyberattack. u
Issue 08
|
www.intelligentciso.com