What is the most important recommendation when creating passwords today?

What's the hardest password to crack, and does it even matter? This question popped into my head right after I came across the equally ironic title of Alex Weinert's Microsoft Security blog post, "Your Pa$$word doesn't matter." Indeed, the testimonies cited here could shock many people. In his next article, "All your creds belong to us!", Alex added...

What is the hardest password to crack, and does it matter?

This question popped into my head immediately after discovering the equally defiant title of Alex Weinert's Microsoft Security blog post,  Your Pa$$word doesn't matter. Indeed, the testimonies cited can be shocking. In his next article All your creds are belong to us! Alex added fuel to the fire by demonstrating attack methods against more advanced security measures (MFA).

With this defiant introduction, I'll begin the topic of passwords, which has been discussed many times before, for example, on our blog.

According to cybersecurity trend reports from Crowdstrike, Verizon and IBM, enterprises experienced an increased number of ransomware attacks (data encryption, ransom demands) compared to 2020. Despite the passage of time, the same patterns persist. User-assisted attacks constitute the majority (82% in 2021). Harvested login credentials were responsible for approximately 45% udanych włamań.

Creating Strong Passwords – How to Protect Internet Users?

Even the most restrictive password policy won't protect a user's login and password from being leaked from an external database, such as a website. Despite companies devoting significant resources to infrastructure security, hackers find ways to access login credentials by exploiting typical user behavior. They can also use passwords obtained through hacking or purchased on the black market.

One of the largest data breaches of 2021 was the T-Mobile breach, which resulted in the acquisition of data on 40 million users. The young hacker responsible for this attack even gave an interview and boasted about how he accomplished it. However, he didn't reveal what happened to the stolen information. Was the data sold somewhere?

How to ensure password security?

You can quickly lose your passwords if:

• A hacker sees them as you type them – especially in a public place,
• A cybercriminal eavesdrops on your network – everything you type will be captured,
• Your computer is infected – a program has been installed that reads keyboard data and sends it to the hacker,
• The password is too simple – some passwords are easy to guess,
• The password has been shared – you voluntarily shared your login information with someone,
• The password is stored in an unsecure file – a hacker obtains it accidentally, during another hack/eavesdropping.

How hackers work – several attack methods using a user's password:

• Brute force – an attempt to decrypt the password combination by trying all the ASCII characters until a key matching the cipher is found, i.e., the information is received in plaintext, decrypted form.
• Password spray – a hacker uses an available database of stolen and frequently used passwords and attempts to use the same password on multiple accounts (with different usernames) simultaneously.
• Credential stuffing – similar to a password spray attack, a stolen database is used, but this time, a complete set: login and password. The login credentials are then tested in multiple available applications simultaneously to obtain as much information about the user as possible.
• Phishing – an email containing a link leading to a fake website or an attachment. Clicking the link or downloading the attachment is intended to infect a computer or steal user credentials and is usually the beginning of a larger attack, for example, in preparation for data encryption and a ransom demand (ransomware).

How often should you change your password and how can you protect yourself from hackers?

The current security policy, still used by many websites, requires periodic password changes and appropriate password complexity, including the use of lowercase and uppercase letters, numbers, and special characters. This is a result of purely mathematical calculations based on cryptographic principles, where the use of a larger character set and frequent changes complicates the process of cracking the code. Although the password is then very complex, it is also difficult to remember.

Many people therefore use the same string of characters in multiple places or share it with others. In extreme cases, this takes the form of sticky notes with the password stuck to the monitor.

Furthermore, when periodic changes are necessary, only part of the password is corrected, usually the last characters. This can lead to a pattern that facilitates hackers' actions.

Results from a database of 800 million records show that users most often choose passwords based on their interests, such as musical, sports, or cultural interests. Examples include the word "Summer," which accounted for 42% of passwords with seasonal characters, and "May," which accounted for 52% of passwords with the month.

From the same research, we know that:

• 93% of passwords used in brute force attacks were eight or more characters long,
• 41% of them were 12 or more characters long,
• 48% of organizations do not use helpdesk caller ID verification,

As a useful tool, you can check out the database of 100,000 popular passwords from the haveibeenpwned website.

What passwords are currently considered secure? Microsoft Recommendations

Current password recommendations from Microsoft:

• A minimum of 14 characters in length
• No need to complicate passwords, i.e., force the use of different character sets – lowercase, uppercase, numbers, and special characters
• No need to change passwords periodically for user accounts (this does not apply to service accounts – where a special type of service account (managed account) can be used)
• Using a lock on frequently used passwords (a list of banned passwords)
• Not using the same password for other services, especially the password used at work for other purposes
• Enforcing multi-factor authentication (MFA)
• If possible (purchase of a premium AzureAD license required), use additional security measures, for example, through the use of conditional policies.

How many characters should a good password be?

Microsoft recommends using a minimum of 14 characters.

The Polish Financial Supervision Authority (KNF) also states that: "the higher the frequency of password changes, the greater the risk to the user, because This makes it easier for an attacker to recreate the pattern. Furthermore, the more random the password, the less mnemonic it is, and therefore the more difficult it is for the user to remember. Password length therefore becomes a key element.

It should be added that Microsoft's recommendations apply to passwords with enforced MFA and are based on behavioral research—how users use their login credentials. The provisions contained in the technical recommendations of the standards may differ from those listed above. Therefore, when creating a password policy, it is important to consult the requirements that must be met.

A good example is the requirements described in the PCI 4.0 standard (for credit card processing), which can be used as a basis for further consideration.

Secure passwords on the network – PCI 4.0 recommendations:

- the minimum length of a user's password is 12 characters,

- the password must consist of both letters and numbers,

- if only one verification factor is used, i.e., the password itself, it should be changed every 90 days or additional automated security analysis measures should be implemented, for example, using machine learning and typical user behavior, locations, trusted devices,

- Do not use default system passwords (e.g., admin, password),

- Passwords cannot be readable in plain text (they must be encrypted),

- Do not share passwords with other users,

- Use multi-factor authentication to access sensitive data (in this case: personal data),

- After changing a password, it cannot be the same as the four previously used passwords,

- The password cannot be the same as the password used within the last 12 months,

- Passwords set for vendor accounts cannot be set to non-expiring,

- System and application passwords cannot be set to non-expiring, they should be changed annually and be at least 15 characters long,

- Using two single-factor authentication factors (e.g., two passwords) is not considered multi-factor authentication.

The password creation process is supplemented by recommendations from the UK National Security Center, which, like Microsoft, should not be complex. The NSC recommends using three random words that will give A long, easy-to-remember password, e.g., "grass ceiling piano."

Is it worth using a password manager?

Password manager

Since we can't remember a complex password, programs that will do it for us come in handy. These can be built-in browser features or external applications, such as 1Password, LastPass, KeyPass, or Passwordsafe. This is a beneficial and recommended solution.

Regarding the security of such programs, it's important to remember that the entire database is protected by a single password – for the computer or the application. If a hacker obtains this single password, they will gain access to all the other saved passwords. The program database or browser are also vulnerable to attacks from the operating system and application security. In most such programs, after unlocking the database with the master password, application data can be accessed from the memory level, not the database.

Alex Weinert, in his article, demonstrated that, in principle, no password is completely secure unless it is additionally secured. Using multi-factor authentication provides 99.9% certainty that your account will not be compromised.

Three-factor authentication is:

1. Something you know, e.g., a password
2. Something you have, e.g., a list of passwords from your bank, a cryptographic key
3. Something you are, e.g., a fingerprint, a facial image

Using the NISC (National Institute of Standards and Technology) authentication categories, depending on the importance of the information being protected, we can use three levels of security:

Level 1. Using any single authentication factor (password, certificate, token, etc.). Re-authentication should occur once every 30 days, and an inactive session should be logged out. This provides moderate assurance that the authenticator is who they claim to be.

At this time, this level of security is no longer sufficient to ensure effective protection.

Level 2. Using a single, multi-factor authentication or a combination of two single-factor authentication methods (password and app confirmation, password and access code, and the app itself generating an access code after fingerprint scanning). Authentication should be repeated at least once every 12 hours, regardless of user activity. After 30 minutes of inactivity, the session should be terminated (logged out).

This level is good for most applications, except for the protection of particularly sensitive data.

Level 3. Using two different authentication factors, using a secure protocol. This level requires the use of hardware authentication and one that ensures the identity of the authenticator is resistant to forgery. A single device can meet both requirements. Authentication should be repeated at least once every 12 hours, regardless of user activity, and require the use of both verification factors. After 15 minutes of inactivity, the session should be terminated (logged out).

This level is intended for particularly sensitive accounts, such as system administrators.

A multi-factor hardware authentication device, for example, is a USB key containing a certificate. Access to the key is possible by entering a PIN and/or touching it (the presence of the person during verification is required). Additionally, the key is usually first added as trusted by the application it protects.

These three levels are just an example of how the need for additional security measures can be differentiated depending on the sensitive data being handled. This allows you to select appropriate security measures to suit the situation.

What about a password instead?

Due to the challenges presented by passwords, the alliance of Google, Apple, and Microsoft has decided to accelerate the implementation of the passwordless login system – FIDO. It is already available for Google and Microsoft services, as well as iOS 16 and Apple's macOS Ventura.

Users with a trusted device with a key generated by the app can use it on various systems.

As you can see, using passwords is becoming increasingly problematic. Hackers obtain them from leaks and attempt to use them to log in to the services we use.

What is the current top recommendation for creating passwords?

- Enable multi-factor authentication,

- Consider allowing passwordless logins to new systems after testing them,

- Use long passwords (minimum 14 characters),

- Do not force users to change their passwords,

- Consider additional security for administrator accounts (e.g., a USB key),

- Use automatic password changes for service accounts,

- Where possible, implement additional security measures, such as conditional access policies.