There is a bit of serendipity associated with World Password Day 2022. This year the day falls on May 5, the day before the first anniversary of the devastating Colonial Pipeline ransomware attack, which was initiated through a compromised password.
The combination of National Password Day and the Colonial Pipeline anniversary should help remind everyone that password security is incredibly important and ever evolving. This evolution is not necessarily due to any revelation the common user has had about creating their personal password.
Instead, the change is due to the constant advancement in technology and the ability of attackers to crack those passwords. Ten years ago, a six-character password like ‘Be4r$1’ would have taken the Cain and Abel tool about 93 years to break. However, now that same password can be figured out in about five seconds due to the availability of faster and more advanced processing speeds and the switch from utilizing central processing units (CPU) to graphics processing units (GPUs) to decipher passwords.
These technological advancements create a nasty conundrum for organizations. They must strike a balance between requiring long and secure passwords and not annoying their workers and slowing down productivity.
Long, complex passwords are cumbersome, and people can get aggravated by inputting them repeatedly. When IT requires computers to lock after five minutes of inactivity, staff often feel like they are typing ‘FRBuyps#6Ph3’ 50 times a day, which is probably true on some days, wasting valuable time better spent on other tasks.
However, there is a solution.
Many organizations get stuck evaluating whether password length or complexity is more important, with most preferring complexity. But what organizations and users miss is the fact that a very long password can be just as secure as a complex one and can often be easier to remember and input.
For example, ‘FRBuyps#6Ph3’ at current rates would take about 34,000 years to crack but would be agonizing for an employee to input each time a company computer is locked.
Instead of using ‘FRBuyps#6Ph3’, people use alternatives like ‘Summer#2002’, which satisfies complexity standards but are featured in every cracking dictionary in the world, making them easily guessed in minutes.
However, password length is one area where workers and the corporate IT team can find some common ground.
For example, ‘iHatemyc0mpanyspasswords~’, although very simple and easy to remember, would take somewhere in the ballpark of 7 quadrillion years to crack with today’s tools.
Security.org has a helpful password -strength tool to test your password. Please remember, if you choose to check your password’s strength, make sure only to use a trustworthy tool. Otherwise, you may well be giving your password to a threat actor who might quickly put it to use or place it into a password dictionary.
The final point to remember, is that what is secure today may not be secure tomorrow. This makes consistent security testing critical. In addition, hackers are always escalating and finding new ways to break both new and old security processes. Therefore, testing the waters periodically to ensure what you think is secure truly is – is paramount.”
Here are some top tips that we recommend all organizations follow to ensure they have a strong password security posture:
The past year has resulted in organizations rapidly adopting new technologies despite declining budgets. How do you keep your organization secure when the evolution of infrastructure and threats both move at unprecedented rates?