It didn’t surprise me much to learn software firm SolarWinds’ easily-guessable ‘solarwinds123’ server password may have led to the massive cyberattack on thousands of institutions last year. What did surprise me (a little) was that SolarWinds executives blamed an intern for the severe lapse in password protection. With the technology available today, it shouldn’t be an intern’s fault.
A little history on passwords: they’re a decades-old authentication method designed in the 1960s to authorize user access, now, they’re a constant headache. They’re cumbersome and we have too many to remember, all with different lengths, different characters, different update schedules, and whatever else you want to add in here. Our frustration leads to poor password practices, like using the same ones again and again or using an easy-to-remember ‘password’ or ‘solarwinds123.’
Let’s set aside our frustration for a minute and think about why we make password management a priority. A new Risk Based Security Report found 8.4 billion records were exposed in Q1 2020 – a 273% increase compared to Q1 2019 and the most records exposed in any Q1 period. Again, I’m not totally surprised. In 2019, Microsoft uncovered more than 44 million account holders who used recycled passwords, and keep in-mind, the dark web is the world’s supermarket for breached email addresses and passwords. You can guess what happens when someone gets hold of yours…
Why it should never happen.
We’re now able to create a password list (password deny list, password dictionary, etc.) that contains values known to be commonly used, expected, or compromised. Organizations can use a password list that is available to hackers to block vulnerable passwords. According to the National Institute for Standards and Technology (NIST), a password list can include passwords obtained from a previous breach, dictionary words, repetitive or sequential characters (e.g., ‘aaaaaa,’ ‘1234abcd’). Other NIST password standards and policies include:
NIST password requirements
- Set an 8-character minimum length.
- Change passwords only if there is evidence of compromise.
- Screen new passwords against a list of known compromised passwords.
- Skip password hints and knowledge-based security questions.
- Limit the number of failed authentication attempts.
NIST password recommendations
- Set the maximum password length to at least 64 characters.
- Skip character composition rules as they are an unnecessary burden for end-users.
- Allow copy and paste functionality in password fields to facilitate the use of password managers.
- Allow the use of all printable ASCII symbols and UNICODE characters (including emojis).
Per the NIST, if password policies are followed, they should never be changed unless compromised. I would also implement a robust biometric and multifactor authentication to ensure the person requesting access is who they say they are and is authorized to view the information.
Lastly, use a password management monitoring solution that can alert management and employees of any poor password practices. This is an investment worth making NOW, not after a compromise or breach takes place.
Do you have an effective password management program? Need help identifying and implementing solutions for your business? Contact CIBR TODAY for a total Cyber Security consultation and/or professional Cyber Security and IT Networking staff augmentation solutions.
If you’re interested in learning more about IT Security and/or how to become a Cyber Security professional yourself, visit MyComputerCareer.
Don Cox has over 25 years of experience in technology. Don started his career as a Special Agent with the US Secret Service Electronic Crimes Task Force in Washington DC, investigating high-tech crimes and conducting computer forensic investigations. He served as the Chief Information Security Officer at MEDNAX, the physician-led healthcare organization headquartered in Sunrise, FL. Don was selected as a Peerlyst Community: 29 Highly Influential CISOs of 2019. He serves as an Executive Member for CyberTheory.io and CyberEdBoard Community.
Before MEDNAX, Don was the Chief Information Officer at HHS, SAMHSA, and held executive leadership positions in several other government agencies. He served as the Deputy Chief Information Officer at Philidor Rx, Chief Information Officer at NOVA Corporation, and President, Innava Data Solutions.
Don holds a Master of Business Administration, Masters of IT Management, Graduate Certificate in Chief Information Officer Competencies, CISM, Security+, PMP, ITIL, and other computer forensics and industry certifications.