|
Create strong passwords |
Passwords are the first line of defense against break-ins to your online accounts, applications and computer, tablet, or phone. Poorly chosen passwords can render your information vulnerable to criminals, so it’s important to make your passwords strong.
IMPORTANT:
Your Password must meet the minimum password security policy requirement as defined by your system administrator in the Configuration Manager tab - Security Manager section.
|
Basic Rules for Good Passwords
These rules apply for the Internet, PC's, Servers and Software.
Rule 1 - Make certain that the software/system you are using will lock users out after multiple failed passwords attempts. Filopto can lock multiple incorrect password attempts - ACTIVATE THIS FEATURE it is your first line of defense. Windows has a similar feature, activate it.
Rule 2 - Do not use common passwords, Make something up that you will remember. Not your kids name, cat or dog name since these can be easily guessed but something only you would know, Then pad it with characters to make it harder to figure out. Consider a phrase such as (do not use this example) "I love going 2 the Beach" . The length, the spaces and number, the capitals letters makes it a stronger password and is still easy to remember.
Rule 3 - Don't share passwords between users. Sharing passwords is not only a security risk but removes the ability to reliably audit a user's actions in the event of an issue.
You can test your password strength by going to https://howsecureismypassword.net/ and entering your password. It will give you an estimation of how long it would take somebody to crack it using a brute force attack. You can also use the Open Web Application Security Project (OWASP) web site http://passfault.com/ which does a more detail analysis using common hacker techniques. The password "I love going 2 the Beach" would take about 50 octillion years to crack (at the time of the writing) for Howsecureismypassword.net versus 383 centuries for passfualt.com. It is a strong password.
IMPORTANT
Do not use recognizable patterns, hackers are as smart as you, so obvious patterns are included in their tool kit along with the top 10,000 passwords list published every year (the list top 1000 password represents 91% of passwords used on the Internet).
The biggest problem is we’re all padding our passwords the same way. When required to use mix of upper- and lower-case letters, numbers, and symbols, most of us:
▪Use a name, place, or common word as the seed, e.g., “fido” (Statistically, women tend to use vocabulary words and men tend to use hobbies,obscene words or sex vocabulary, the most common passwords are the users pets' names, car model, favorite sport/team or the word “password)” ▪Capitalize the first letter of the password : “Fido” ▪Add a number, most likely 1 or 2, or current month at the end: “Password1" ▪Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end: “letmein1!” ▪Changing passwords from "password03" to "password 04" when asked to change a password
Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers (“F1d01!”) or appending another word (“G00dF1d01!”) wouldn’t help much, since hackers are using the common patterns against us and appending words from the master crack lists together.
For example, users should avoid a sequence such as "qwertyuiop," which is the top row of letters on a standard keyboard, or "1qaz2wsx" which comprises the first two 'columns' of numbers and letters on a keyboard or the standard 1234567890.
|
Rule 4 - Passwords should always contain at least one of each type of character (uppercase, lowercase, a number and special characters (Entropy - see below for explanation)
Rule 5 - The Password Length is the key to security. At the time of this writing 15-16 characters is considered the starting point for a safe password, in the future as computer progress it will be longer. As of 2012-12-09: a Norway researcher using ocl-Hashcat Plus (a freely available hacker tool for breaking passwords) achieves a rate of cracking 350 billion password/sec using standard PC components proving that any 8 character password can be breached in less than 5.5 hours That is why having a secure password is your first defense.
In 2017 this password breaking exploit can be done in substantially less time using today's computing power. If you want to test how long it would take to crack your password (when not using Rule #1) you can use the web site: http://passfault.com which permits you to change the type of PC being used (under the option settings) used to crack your password. Warning: the results are very accurate and proves why Rule #1 must be enforced.
Example of how to create your personal password or pass phrase by just using words you like:
The Myth about Changing your Password Frequently
Contrary to what you've been told, frequent password changes can be counterproductive. A growing number of security experts have come to believe that frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking.
The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill. The researchers identified common techniques account holders used when they were required to change passwords. A password like "tarheels#1", for instance (excluding the quotation marks) frequently became "tArheels#1" after the first change, "taRheels#1" on the second change and so on. Or it might be changed to "tarheels#11" on the first change and "tarheels#111" on the second. Another common technique was to substitute a digit to make it "tarheels#2", "tarheels#3", and so on.
The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what is called a transformation. They take their old passwords, they change it in some small way, and they come up with a new password. The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. (In one test, 41 percent of the changed passwords were cracked within three seconds).
A separate study from researchers at Carlton University provided a mathematical demonstration that frequent password changes hamper attackers only minimally and probably not enough to offset the inconvenience to end users.
Over the past few years, organizations including the National Institute of Standards and Technology in the US and UK government agency CESG have also concluded that mandated password changes are often ineffective or counterproductive.
Note: Many government regulations and legislation such as HIPPA and PHI legislation still require frequent password changes unless the organization can demonstrate that their password policy is secure for their situation. Consult your specific rules and legislation before opting to not force an automatic change in user password. By default Filopto will force a password change.
|
Before you force your users to change their password every few months consider increasing the length of the password since it may have more benefit than frustrating your users. To de-activate a users requirement to change their password see Security Manager - Global Settings.
Advanced Password Information
Which of the following two passwords is stronger,more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9
You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password! The attacker doesn't know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.
ENTROPY: If you are mathematically inclined, or if you have some security knowledge and training, you may be familiar with the idea of the “entropy” or the randomness and unpredictability of data. If so, you'll have noticed that the first, stronger password has much less entropy than the second (weaker) password. Virtually everyone has always believed or been told that passwords derived their strength from having “high entropy”. But as we see now, when the only available attack is guessing, that long-standing common wisdom . . . is . . . not . . . correct!
|
Once an exhaustive password search begins, the most important factor is password length! Hackers have to guest your password so once they have tried the known passwords being used then they have to start guessing or give up. By not using common passwords, which can be easily located on the web, you can make your password strong, simple and secure.
Top Password being used: 123456 is the most common password and the word "password" is the second most common password, the list of the top 10,000 password used is available on the web and is updated annually. Hackers make it a point to subscribe to the list to save them time and effort when breaking in to your systems. "...Approximately one out of every nine people uses at least one password on the 500 list! And one out of every 50 people uses one of the top 20 worst passwords..”
|
Knowing that 41.69% of all passwords consist of only lowercase alphabetic characters, a smart attacker who is forced to resort to a brute force search won't initially bother spending time guessing passwords that contain uppercase, digits and symbols. Only after an all lowercase search out to some length has failed will an attacker decide that the unknown target password must contain additional types of characters.
So, in essence, by deliberately using at least one of each type of character (uppercase, lowercase, a number and special characters), you are forcing the attacker to search the largest possible password space, because your password won't ever be found in any of the smaller spaces.
One Important Final Note The example with “D0g.....................” should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like ":)" or “<->” or “[*]” or “^-^” . . . but do invent your own!
|
