Whilst I’m not an avid radio listener, this week I tuned into a spokesperson from the NCSC (UK’s Cyber Security Centre) discussing cyber security and in particular a new top 1000 passwords list that has been compiled in conjunction with Troy Hunt (haveibeenpwned.com). It won’t take you many guesses to find out which passwords were in the top 5 still, but in-case you’re interested here’s a snippet below:
From a security professionals viewpoint it paints a frustrating picture, for years security professionals have been preaching strong password techniques, including length and complexity; even enforcing these via application and system controls.
So why are such common passwords still in use?
- One possibility (and unfortunately unlikely) is that the data used for the creation of this list has no use by date against it, meaning the source data (breached password databases) could be many years old when the most common passwords were still heavily in use.
- Another is that end user awareness training has not focused enough on helping end users create and manage secure passwords, only focusing on enforcing the controls.
- A third and most likely is that common password controls do not work for end users and certainly recent research into the psychology of password creation and updated recommendations from the likes of the NCSC and NIST certainly supports this.
The end of password expiration?
In fact Microsoft just recently announced that it will be removing the password expiry settings from it’s Windows baseline security recommendations citing the problem with forcing password expiration is typically end users when forced to change passwords on a periodic basis will make small, predictable changes to passwords to ensure they are easy to remember.
So great I can just keep my password from now on?
Well not exactly. Microsoft stressed that whilst it’s removing it’s expiration recommendation that this is a decision that individual businesses need to make based on their own risk assessments and security capabilities. So for example the recommendation is that passwords should be changed when there is suspicion or evidence of the password being compromised. Well whilst that sounds great, it does rely on your business and chosen suppliers having the right tools in place to detect potential compromises in your accounts and report this to you.
Tools such as file / database auditing, application logs, and a centralised audit system to collate and analyse the information and produce reports and warnings of potential compromises. Plus the skills to know how to do this. Not many SMB’s have the level of technical know how or resources to commonly enforce this level of accountability so you may not wish to remove that setting quite yet, but certainly you could review to potentially extend the period of time before a password expires.
In addition if you are thinking about removing password expiration settings, make sure you check any regulations that you may have in place as some still have expiration settings as a required control, yes i’m talking about PCI-DSS.
OK what can I do to make stronger passwords?
Well the good news is lots for example:
- don’t focus on creating a random, complex password but use two or three random words to make a password and if you can throw in some numbers and symbols to beef it up like: BrandyGooseTip!
- Don’t use the same password twice for any other account or password reset.
- Use a password manager to securely make and store your passwords for systems. Just make sure you use a good secure password and setup for this!
- Secure your accounts more with Multi-Factor Authentication (MFA) or Two Factor Authentication (2FA), using SMS codes, Authenticators like Google Authenticator, Biometrics etc.
- Reduce the amount of passwords you have using a Single Sign On (SSO) system.
- Don’t forget to make sure any reset details you have are also secure and cannot be guessed or easily obtained through social media or public records.