As an MSP, your reputation hinges on your ability to keep your clients and your own infrastructure secure. While you’re almost certainly taking steps to protect, monitor, and remediate your clients’ networks, there’s always a dark cloud hanging overhead: passwords.
Creating secure passwords seems easy enough, right? We know that 90% of internet users are concerned about getting their passwords hacked and that 53% of people rely on their memory to manage passwords. This creates real opportunity for Managed Service Providers to bring up password management with clients and propose solutions.
You know full well how difficult it can be to enforce strong password policies – especially outside of your own organization. Even though this is a struggle, it’s one that MSPs can’t take lightly. Who can afford to leave your entire business vulnerable because a client’s employee keeps using “12345” as their password?
Before we get into some of the best ways to educate your end-users on password hygiene (and help them create stronger passwords), let’s take a look at why this layer of security awareness is so crucial.
Passwords and Data Breaches
Data breaches may seem relatively harmless when they show up on the news. Companies usually admit they’ve had data stolen, apologize, and then agree to fix whatever security flaws led to the problem. The effect of the entire ordeal on the consumer is often overlooked or minimized.
The reason why data breaches, even those that seem trivial, are serious is because the data that’s stolen can often be used to compromise other, more important accounts. For instance, you may be notified of a data breach involving a free app that you barely use and think that there’s nothing to worry about — and you may be right, until your stolen account data is purchased on the Dark Web and used to sneak into your email and bank accounts.
Stolen usernames and passwords are valuable on the black market because they so easily lead to other opportunities. Why? Because so many people reuse passwords or create weak passwords using a predictable pattern. Poor password hygiene turns what seems like a minor breach into a major problem.
Because personal login credentials are so important, many people ask “what are the best practices to create a secure password?” Before getting into the specifics, let’s review how passwords get stolen and hacked in the first place.
How Passwords Are Hacked?
There are quite a few ways that hackers can get your passwords. The easiest is to buy your credentials off the dark web. As we mentioned above, cybercriminals place value on stolen credentials because they know how many people reuse passwords. They can buy thousands of credentials at one time, and then simply run the password(s) through all accounts associated with that email address.
If a cybercriminal wants to get into an account, they also have means of cracking passwords without buying credentials. The most common methods are described below:
Brute Force Attack
This type of attack uses rapid, repeating guesses at the password or the password hash. The software makes thousands of guesses every second, and continues to get more advanced. Currently, it takes around 30 minutes to crack a six-character password using techniques like this.
The time it takes to crack a password with brute force increases exponentially as the length of the password increases. Increasing a password to ten characters will turn that 30-minute process into a 150-year endeavor. This is why long passwords are essential for good password hygiene.
Rather than guessing at randomized character combinations, a dictionary attack uses a preset word list to guess passwords. Some cracking software allows the cybercriminal to input words and numbers that you’re likely to use — such as pet names, the name of your street, and permutations of your birthday.
If your password is a common word, a dictionary attack is very likely to succeed. One can thwart a dictionary attack by using combinations of words. This method makes it very difficult if not impossible for the guessing software to land on the correct password. For example, using “VehicleRadioDogCampus” is much safer than using any single word. The more words used in the combination, the better.
Phishing is a type of social engineering attack that has become extremely commonplace. In such attacks, the cybercriminal tries to trick the target into taking a specific action, usually by pretending to be a person or business that you already trust. They may send an email that appears to be from Microsoft telling you to download an important Windows update which is actually a bit of malware. Or they may claim to be from your bank, asking for details related to your accounts that will then be used to gain illegal access to your funds. This is often accomplished by creating fake login screens that look exactly like your bank or another institution’s login screen. The hacker simply waits for you to click through the email and enter your credentials into the site, thus capturing your login and password.
These days, phishing attacks come through the phone and text messages as well as email. Cybercriminals will often call and pretend to be a financial institution, bill collector, or even a law office, and attempt to pressure the target to send money or hand over account details. It’s important never to respond to or encourage these types of callers, as they will use any tactic they can think of to intimidate you into cooperating.
What is a Strong Password?
Once you know how passwords are hacked, you can make smart decisions about your own passwords to minimize your risks. Creating secure passwords will protect you from most cracking attempts. Using unique passwords will protect your accounts in the event that one set of login credentials is leaked or stolen. You will still need to exercise due diligence when it comes to phishing attacks, as the only way to thwart them is to avoid falling for the ruse.
Let’s explore what it takes to create a truly strong password.
Don’t Make the Most Common Mistakes
First off, don’t use obvious passwords. This includes passwords that involve your name, birthday, or any other information that someone can obtain through a few minutes of Facebook browsing.
Don’t use sequences of numbers or letters. It goes against all common sense, but “123456” is still a commonly used password. Such passwords might as well not exist at all, as they only take a few seconds to crack.
Stop Brute Force Attacks
A passwords length and complexity can stop a brute force attack. Take these tips to heart:
- Make the password long. When it comes to beating cracking software, the length of the password is your main defense. Creating secure passwords means creating long passwords. Make all passwords at least 10 characters, but don’t feel the need to stop there. A 15-character password will be virtually uncrackable using today’s tech.
- Use a mix of characters. Combine upper and lowercase letters, numbers, and symbols as much as possible. When creating secure passwords, the more variety among the characters, the harder it is to brute force through it.
- Don’t use obvious keyboard paths. Using the layout of your keyboard as a memorization aid will only work against you. (For example, using “qwerty” or “zxcvb” because they’re sequential on the keyboard.) Hackers use these sequences first because they are so common.
- Avoid common substitutions. You can’t fool hackers with “leetspeak” since this practice of character substitution originated with the tech savvy. It might seem like “C@$hM0N3Y” is a really clever password. However, it’s really no more secure than “CASHMONEY” to someone who knows the normal substitutions.
Avoiding Dictionary Attacks
Avoid dictionary attacks by not using standard words in your password. Especially one standard word, like “bookcase”. If you want to use words in your password, use several of them. Sprinkling in some numbers and special characters to harden your password against brute force cracking.
Creating Secure Passwords
Creating secure passwords is easier than you think. The team here at Password Boss knows how to make a solid password, and we have our favorite methods for doing so. Put some of the below tips to use and you’ll be creating uncrackable passwords in no time.
The Passphrase Method
You may have encountered “passphrases” at some point, particularly if working with two-factor identification or using a password recovery system. Passphrases are typically a combination of common words that are used as an additional identifier, such as “harmonious owl gladly dancing”.
You’ll notice that this passphrase is structured as follows: [adjective noun adverb verb]. Passphrases may be easier to remember when structured this way.
You can use the same idea to create your passwords, although you will want to add a few twists to ensure they’re very difficult to guess. You can still use a structure that makes it easy to remember, but be sure to use long, uncommon words.
To increase complexity even further, you will want to add a few random characters into the mix as demonstrated in the last example.
The Remix Method
This system uses phrases that are known to you to create randomness while still giving you a means to easily remember the password. Simply use two phrases that you can easily remember and initialize them, and then work in a series of random characters.
For example, you may use two phrases that you’re personally fond of, such as “I cannot tell a lie” and “four score and seven years ago” to create:
Because the phrases are both presidential and the numbers are from the date 1776, the password might be very easy to remember while still being nearly impossible for software to crack. Of course, this method works best when using phrases and associations that are easy for you to remember. If American history isn’t in your wheelhouse, you can use celebrity quotes, motivational sayings, or other meaningful root phrases.
The Sentence Method
One of the best methods for creating secure passwords, also known as the “Bruce Schneier Method”, is to transform a random sentence into a password using a set rule. For example, you may want to use the first two letters in every word of the sentence and alternate the upper and lower case. In this example, the sentence “There’s more than one way to skin a cat” would become the password:
This would be extremely difficult for someone to guess, but you can remember it easily as long as you remember the rule used to create it. To be even more secure, use uncommon sentences rather than known phrases, and intersperse random characters as usual.
Other Ways to Improve Your Password Security
While the above methods are great for creating secure passwords, many people need to remember dozens of passwords — and remember, they all need to be unique. That’s a lot of memorization, and the difficulty in doing this correctly is the major reason why so many users are still resisting good password hygiene.
The following are ways to continue to improve your own password security while dealing with the challenge of handling a large number of passwords:
Use a Password Manager with Every Client
A password manager like Password Boss keeps track of all of your clients’ passwords and does all the remembering for them. End-users need only create and remember one strong password: the Master Password for the password management tool.
For that password, your end-users should use all the techniques above to create a super strong, uncrackable password. Or, even easier, they can use the password generator within the password manager to create them.
As an MSP, you also get a few more benefits from deploying password managers across your client list. Centralized password management makes administration easier, your overall risk profile is reduced, and you’ll have to deal with far fewer password reset tickets.
Check for Compromised Credentials
If one of your passwords has already been leaked or stolen, you should immediately change all of your passwords to prevent further intrusions — especially if you’ve made the mistake of reusing the same password in other logins.
Various cybersecurity and IT companies offer free Dark Web scans to check if your email address is associated with any stolen credentials for sale online. Such scans can warn you early and give you time to change passwords before any damage is done.
Use Multi-Factor Authentication
Multi-factor authentication (MFA) adds an extra layer of protection that makes intrusion considerably more difficult. Even if someone obtains or guesses your password, an MFA or two-factor authentication setup will require them to have access to some other asset that you control, such as your email or smartphone. Typically, they will send a one-time code via text that you must enter along with your password to gain access.
2FA is very difficult to bypass, which is why enabling multi-factor authentication is a highly recommended best-practice among cybersecurity professionals. (Some will even require their clients to activate it, and it’s becoming a must-have for many cyber insurance providers.)
Additional Account Security Tips
- Use a virtualized private network (VPN) when on public wireless networks. Hackers will commonly intercept or spoof public Wi-Fi networks in places like cafes and airports to capture login information from anyone who is connected.
- Never text or email anyone your password. Do not share account details with anyone posing as a representative of a company that you trust.
- Many accounts ask you to select security questions for password recovery. Choose questions that are not easy to figure out based on information you’ve posted in social media. Social engineering for this sort of thing is rampant — for example, those Facebook posts which ask people to comment with the names of their pets or the street they grew up on are actually asking you to post answers to some of the most common recovery questions.
- Protect yourself by securing those around you. Cybersecurity is a chain, and the weakest link will be the one that’s exploited. Once someone you know has been compromised, it’s much easier for cybercriminals to gain access to your data. Share this post with coworkers and family, spread the word, and encourage strong password usage.
Why Password Boss?
- Protection from security breaches – creates unique, strong passwords that are different for every site.
- Automatic website login – visit a website and your username and passwords are entered automatically for you.
- Store every password – Keep all of your passwords for websites, apps, Wi-Fi, everything, all in one place.
To attend one of our webinars and see Password Boss in action, visit here.