ISHPI

What can I do to make passwords easier and secure?
ISHPI CyberBytes Newsletter Vol 1 Issue 10
Read all CyberBytes Newsletters

From the oldies folder in the file cabinet, comes this month’s topic, not because I was lacking topics to talk about, but because it is still relevant (very relevant) even as we push towards a “passwordless” world. A quick search on the internet will show that even in 2023 the questions like “how do I balance the security of a strong password” (which industry best practice says is > 8 characters and includes upper case, lower case, numbers, and special characters) with how I can easily REMEMBER my passwords?”.

While the content of the question hasn’t changed over the years, the definition of a strong password has. This geeky tech comic (XKCD) sums it up pretty well and it is counter intuitive to what you’ve learned over the years as it relates to passwords. So, what is the answer? In this relationship, the answer is the dreaded “It’s complicated”.

Or, more to the point, the password needs to be complicated; to reduce the threat of brute force password attacks. Now, there are several methods to make a secure password (and remember it) but the easiest, taking a cue from the web comic above, is a simple pass phrase (with space between words) that you can easily remember and use. Now the bigger problem comes into the picture, how to do it when everything needs a password! NO, using the same strong password everywhere is NOT the right answer!!!

Like I talked about back in the March edition of CyberBytes, have you thought about using a password manager? Before you answer, let me offer some of the benefits the major players offer:

  • a remember one and use many approach to passwords (if one password gets breached, not all your accounts are in danger)
  • customizable random password generator to make secure passwords (more secure)
  • able to create a unique password for every account you need (even more secure)
  • a tool that is synced across devices (desktop and mobile for convenience)
  • all data is encrypted (multiple times) at rest and in transit (piece of mind)
  • the “master password” is never stored and is only known by you (or whoever you tell)
  • uses MFA for validation to access your password vault (makes it harder to breach your account)
  • the saved passwords are available offline for you (more convenience)
  • low cost or free depending on what you want or need

Yes, like anything, there is no panacea, so now the negatives:

  • hackers have a single target for a treasure trove of potential passwords by hacking the provider of the password manager (see LastPass breach)
  • you are not in the habit of securing your mobile device or browser and have “unlocked” your password manager and walked away from the device
  • you forget your master password

Let’s look at those negatives, one at a time and assess the risk/reward equation. For the first negative, the risk is real, but low in my opinion. All the saved data is encrypted locally and then again at rest in their facility, all using your master password (which if you lose or forget, will result in losing access to ALL your generated and saved passwords, because the provider does not retain or store it). So, hackers gaining access to their systems would not do much in terms of usable passwords and this was proven in the LastPass breach, the access to usable passwords protected by a strong master password are still protected.

The second one is more likely and then only to those around you or who access your PC/mobile device. SO, KEEP IT SECURED when you are not using it! The third is where the first part of the topic this month will help you to mitigate that risk! For example, ironic sound is a quiet color is an off the top of my head example: 29 characters (yes, the space in the middle counts) is VERY difficult to crack, especially with words of different sizes and spaces between, and is easy to remember and type – easier & secure.

Again, you can re-read the March edition of CyberBytes for a review of the major players in the password manager market and yes, I do use one (protected by a strong (but easy) password, MFA, and a hardware token).

Newsletter By:  Rob Collings, ISHPI’s VP of Cybersecurity | CISO

December 1, 2023

Share this Newsletter