• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Password Implementation Guidelines

March 29, 2018 By Emil Hozan

Password management

Passwords – they can easily add up!

Having to create and remember passwords for this and that, while staying safe and secure, can be quite the task. We all know it’s more convenient to use the same password for multiple services but that comes with a HUGE security concern —compromise of one leads to exploitation of all!

What can be done to circumvent this for corporations, or even users outside of a work environment?

For corporations, there are a few ways to work around the issue.

Single-Sign On (SSO) is a great example of limiting the number of authentication requests for users who are trying to access multiple resources from various locations. Simply authenticating a single password (most often when logging into a corporate computer) allows access to all resources in that user’s security group. Ensuring a strong initial password is highly recommended to make it safer for users who only use a single password when accessing needed resources to perform work duties.

To strengthen this even more, experts always recommend using Multi-Factor Authentication (MFA) to ensure the user logging in is indeed a valid user. This second method of authentication can often be a physical piece of equipment – a security token or a smart card. The second authentication piece automatically generates a password/PIN to be entered, which means users don’t need to remember yet another password on top of the already secure initial login.

In a non-corporate environment, users can still follow these guidelines, but it may seem a bit extreme. It all depends on your take on this and how secure you want to be. Some services do allow users to configure MFA or one-time-password tokens that can be tied to (most often) a user’s cell phone. You can, however, resort to setting a new and different password for each service. This will add to the burden of memorizing more passwords (that’s what you’re doing, right, and not writing down passwords?), but it does increase security. Alternatively, use a password manager service such as Keeper or LastPass to take care of the memorization and complexity requirements for you where MFA is unavailable.

Regarding larger corporations and domains, there is the option of implementing a Public Key Infrastructure (PKI) for some services. This requires a Certificate Authority (CA) on the network that signs leaf certificates validating users. Users would obtain the CA’s public key, which was signed by its private key, and use their own public key to validate themselves. This comes after they create their own certificate using their private key and having the CA sign that request, thus validating that they are who they say they are on the network. Note that there are public CAs that are well-known on the Internet, which differs from a corporate CA that may or may not be publicly recognized.

Considering the above, just what does a strong password consist of and what should be avoided at all costs?

Don’t Use:

  • ‘password’ as a password
  • other standard dictionary words
  • simple variations of standard dictionary words
  • prepend / append numbers to simple words
  • usernames
  • personally attached information; birthdates, anniversaries, family or friends
  • numbers instead of letters for simple words; i.e., 3 instead of e

Modern day resources can allow for an easier time in brute forcing passwords using programs that fill in the information in various ways.

Here’s a brief example of how easy it can be to crack basic passwords. Let’s use “mypassword” as a password for a service, the MD5 hash of which is “34819d7beeabb9260a5c854bc85b3e44”. Computer systems usually store passwords as a hash to avoid storing them in plaintext. Even then, not all hashing algorithms are the same. By simply doing a Google search for that hash value, decryption tools have already reversed the hash and output “mypassword” as the initial string. Arbitrarily using “)&*Gyiol80”, the hashed result is “1eb893fa4fd86c65a0ac248979fe0515”. Searching for this did not yield a result — well not as of yet, at least! Refer to the references below for more details on testing yourself.

On the flip side, good passwords consist of a lengthy variation including mixed-case alphabetic characters, numbers, as well as special characters. At least eight characters is recommended but, as they say, the more the merrier! Passwords that are easy to remember but difficult to guess are prime examples, as are passwords that can be typed without the need to look at your keyboard. You never know when someone may be peeping over your shoulder.— Emil Hozan

References:

PASSWORD MANAGEMENT, February 2008 [PDF file] https://www.infosec.gov.hk/english/technical/files/password.pdf

Author, Dave Asprey (December 2, 2011). The Cheapest Way to Use the Cloud to Crack MD5 Using Google Instead of AWS. Retrieved from https://blog.trendmicro.com/the-cheapest-way-to-use-the-cloud-to-crack-md5-using-google-instead-of-aws/

MD-5 Hash Generator, online tool. https://www.md5hashgenerator.com/

MD-5 Decryption, online tool. http://www.md5decrypt.org/

Share This:

Related

Filed Under: Editorial Articles Tagged With: passwords

Comments

  1. Anca Gagea says

    April 1, 2018 at 12:00 am

    Awesome post! Very informative! Well written!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use