COVID-19 Support and Services Update 3.31.2020, see more information here.

Finding a Password In a Haystack, How long is your Needle?

The number 85 is the average number of passwords of a staff member in small institutions (1-25), that number is about 70 for financial institutions(a). One obvious consideration is that if every employee has only 50 passwords to remember, the business must ensure strong authentication and that it is managed in a way that relieves the burden on their employees.

People often underestimate the number of accounts they have. There is widespread agreement that reusing passwords is bad. So why do people still do it? Mainly because by human nature they simply want to get their job done and basically can’t manage and remember complex passwords. They just want memorable passwords so they can log in to accounts quickly and easily. 

The 2019 Verizon Data Breach Investigations Report (DBIR) confirms that stolen and reused credentials are implicated in 80% of hacking-related breaches. Data also shows that employees reuse a password an average of about 13 times.

Consider for example a password using the following fifty character string that has been compromised: R$eter#0dR1M8dk%jEc4o0^Tod*32d#po$1!enjPa33w0rd=50. 

If your password was published in one of the databases of compromised passwords on the DarkWeb it is nearly worthless to protecting you or your institution from attack since hackers are using it to log into your account everywhere you’ve used it. Data breaches have become a fact of life for both businesses and individuals, making password reuse across online accounts a big problem.

So what is the recommendation; measures that used to reduce the authentication risk are no longer as effective such as; passwords expiration or use of special characters. It is becoming accepted that longer passwords are better(b) as long as you use unrelated words and make it even stronger by adding a number and/or a special character.  Something like: 1BlueChristmasCar; easy to remember very difficult for a computer or a person to guess, but once its compromised its again worthless and you still must not use it in more than one place, but it should be easier for you to create memorable passwords, but still not very realistic to remember 50 different ones and which one applies to which application. 

Then what do we do? A combination of things will work best. The following is a checklist of thing to do whether for the business or personally; the recommendations really don’t change:

1.  Start using a password manager, the need to reuse passwords is eliminated and the ability to manage passwords is easier. 

2.  Check your user names and passwords against the compromised databases; for personal use some of the credit card companies offer this, the services at www.haveibeenpwnd.com, commercial solutions exist such as www.spycloud.com, accounts.firefox.com, and others – actions you may need to take will vary based on the data lost.

3.  Companies could implement a “Password Policy Enforcer” that checks passwords used against the compromised databases so that a compromised passwords cannot be used. There are solutions from companies like Anixis, SpyCloud and Enzoic, etc.. that offer assistance.

4.  Change your password only if it comes up as compromised, recent studies have showed regular password changing does not reduce your risk substantially, if found to be compromised password change is a must.

5.  Make your passwords long; difficult to guess and easy to remember along with hoping that websites, corporations, and online banking allow long passwords – no complexity and don’t force you to change unless you recognize a compromised situation. If you make the result long and memorable, you'll have super-strong passwords that are also easy to use! 

There is a lot of information that gets leaked on us and the more the bad actors have on us, the more targeted their phishing campaigns can be. Checking on whether or not your data is available in the underground can help you mitigate any fraud or identity theft.

As corporations consider implementing the password manager across the institution for all employees and allow them to use the manager for both business and personal purposes.  If you do you’ll be less likely that your business passwords are also an employee’s personal passwords if you train them accordingly.