At the beginning of the year Nathen brought us the really helpful guide to keeping your sensitive information safe. As 2013 draws to a close, I thought I would dig a little deeper into one particular aspect: passwords.
Most (hopefully all!) IT software and support companies strongly recommend that you secure your systems and files with a "complex" or "strong" password, and that this password is changed on a regular basis.
However, users want to access their systems quickly and easily, and a hard-to-remember password that's often changing can be a frustration. Whilst this is understandable, it's also an essential part of keeping your files, your network and ultimately your organisation safe, so it is important that everyone gets on board. With this in mind, I thought I would take some time to explain what a "complex password" actually is, and why they are so important.
Why we recommend a complex password
Did you know that 80% of UK small businesses have suffered a computer security breach in the last year? That's not from a security software website but from the Department for Business, Innovation and Skills 2013 Hacking Survey. This statistic is pretty alarming, and points towards the fact that small businesses are often seen as an "easy target". Attacks are opportunistic, with attackers attempting to see if they can find anything.
I've talked before about firewalls (which are very important and should be implemented correctly, as 60% of attacks were by unauthorised outsiders), but many organisations access their networks via Outlook Web Access or Remote Desktop. If these services are implemented properly, they can allow you to work flexibly, allowing you to securely work from other locations (at home or other offices for instance), send and receive email and access important files on a mobile device. These services require a password to access, and if this password is simple, access to your network is easy for hackers.
Modern processors allow simple passwords to be cracked quickly, without the need for expensive equipment.
What does the law say?
Article 7 of the Data Protection Act states that:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
You may be required to disclose that you have been hacked which can cause severe damage to an organisation's reputation.
"From 26 May 2011 certain organisations (service providers) have a requirement to notify the Commissioner, and in some cases individuals themselves, of personal data security breaches." Source: Information commissioner's Office: Guidance on data security breach management
Having a complex password policy and enforcing it with your IT system is a great way of complying with the above. Windows Server 2003 or later includes this as standard, so no extra spending is required.
How can hackers guess my password?
Hackers use a number of methods to guess passwords, and I've described the most common below. Modern technology is making it easier than ever, and many of the tools used to carry out these attacks are available for hackers to download for free.
- Dictionary attack As the name suggests, a dictionary attack tries dictionary words to attempt to crack your account. Systems can run through the options very quickly.
- Brute force attacks These are similar to a dictionary attack, but can include alpha-numeric (letter and number) combinations too.
- Rainbow table attack This is a little more complex. Essentially, a password converts to a ‘hash' which is what the computer uses to check if your password matches its record. Rainbow tables use precomputed hashes. Think of it as a dictionary attack, but quicker.
Obviously the simpler your password, the easier it is to hack. Complex passwords help protect you against these hacks, or from people simply guessing your passwords.
So what is a "complex" password?
According to Splashdata, the most commonly hacked passwords last year were:
password, monkey, iloveyou, 123123, jesus, 123456, letmein, trustno1, welcome, michael, 12345678, dragon, 1234567, shadow, ninja, abc123, 111111, sunshine, ashley, mustang, qwerty, baseball, master, football, password1 (Source: Splashdata)
It's fair to say that none of the above would satisfy a complex password policy.
Microsoft's definition of a complex password requires 3 of the following 5 catagories to be present in your password:
- An uppercase character
- A lowercase character
- A number
- A non-alpha-numeric character (such as: !"£$%^&*()_+~)
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from other languages.
It should also be at least eight characters in length.
You can check your password complexity using this handy tool from Microsoft.
Is it a good idea to enforce regular password changes?
Regularly changing your password can mean that people don't have time to run the attacks mentioned previously (it can take weeks or months to crack a really complex password, as opposed to a few seconds for a simpler one). Also, if someone has seen your password, it limits the amount of time they have to access your resources.
For these reasons, it can be hugely beneficial to enforce regular changing of passwords throughout your organisation.
Is a complex password vulnerable?
Whilst complex passwords are far more secure than the simple variety, they can still be written down, shared or stolen.
Social Engineering attacks are a common way to convince users to expose passwords with an official looking email from their line manager (complete with logos and signature) or from the IT department, or a fake website that looks very similar to a company page. Often people will double check an email from eBay or HMRC, but how many of us do this with emails that look like they were sent from colleagues?
Remember, your IT administrator should never need to know your password because they should have access to all user data already.
You should never need to share your password with a colleague (if they need access to your resources, ask your IT administrator to give their user account the appropriate permission).
Whilst you could have an official company policy forbidding the sharing of passwords, employees of course can still do so. If someone gives a colleague their password in order to access one file or folder, there's nothing to prevent them getting access to other files or folders whilst they are there.
If password sharing is a concern for your organisation, or you want to remove the ability for a hacker to use the attacks mentioned in this blog, considertwo-factor authentication. When the user enters their password, they also receive a PIN number sent to them via SMS, from a keyfob or smart mobile application that is linked to them (and kept in their pocket). You might already be familiar with this idea as it's used by many banks to access online banking. This ensures that even if the password is known - it's of no use because both the password and time specific PIN required to grant access.
If you need some guidance on creating a safe network, from passwords to encryption, get in touch!