Passwords: The Top Secret
Posted by Shawn Iverson, CETL on 11/4/2019
Although the October National Cybersecurity Awareness Month (NCSAM) has come to an end, cybersecurity awareness becomes no less of an issue every single month of the year. In November, we focus our attention from Phishing: The Top Cyber Threat to Passwords: The Top Secret. Your passwords are one of the most desired secrets that phishing scams target, which can lead to further potential data theft and data loss for you and your organization.
Once hackers have obtained one or more of your passwords, they can continue their campaign to achieve their desired goals, such as data theft or data held for ransom (ransomware), usually for the purpose of financial gain. Use of stolen credentials immediately follows the act of phishing as the top threat action in breaches.
Unfortunately, in addition to the threat of phishing, a majority of people reuse their passwords for multiple services and continue to use weak and potentially guessable passwords. Many password compromises don't even involve phishing at all. The simple act of guessing a password and the use of common techniques such as brute force can result in password compromise. Once obtained, hackers have access to a wide reach of networks and services wherever one has reused the same password.
Managing security in any organization is difficult. In a public school district with limited funding and personnel, the scope of cybersecurity hardening can be overwhelming. One of the most common security holes for schools is in the creation of default passwords. Schools may be implementing weak, predictable passwords en-masse based on patterns, despite digital security being one of the essential nine elements of digital citizenship. The practice of predictable passwords not only exposes schools to compromise internally and externally, it also leaves a lasting and unintentional effect of silently teaching the wrong "3 P's" of Cybersecurity: Poor Password Practices. Schools are encouraged to instead develop a strong password policy such as randomly generating passwords according to the current NIST guidelines for memorized secrets.
Steps you can take to be more secure today:
- Do not use passwords based on other information and patterns, including birthdays, phone numbers, initials, family names, locker combinations, pin numbers, life events, and other personally identifiable information.
- Never store passwords in plain text on a computer in a document or spreadsheet.
- If written down, store in a safe and secure location only you have access. (Safer)
- Use an encrypted password manager to secure passwords and generate strong and random unique passwords and passphrases for each service. (Safest)
- Longer passwords using combinations of different characters are better and take exponentially more effort to crack for each character added.
- Use passphrases (combinations of multiple words) instead of passwords. They are much longer and easier to remember. More words are better.
- Use Two-factor Authentication (2FA) whenever possible, especially for sensitive services such as online banking and administrative level accounts.
Krebs on Security password dos and don'ts
Google's Create a strong password & a more secure account
Security Boulevard's Summary of NIST 800-63 Password Guidelines
Shawn Iverson is the Director of Technology at Rush County Schools. He serves on the Educational Cybersecurity Task Force and participates in raising cybersecurity awareness at conferences such as the Hoosier Educational Computer Coordinators (HECC) Conference held each November.