A strong password policy is often the first line of defence against cyber attacks, yet many organisations continue to follow outdated guidelines that expose them to significant risk.
Lost or stolen credentials remain the number one hacking tactic used by malicious actors to perpetrate data breaches.
To ensure your password policy is effective and meets the standards recommended by NIST, Microsoft and NCSC, we have compiled all the latest guidelines into actionable advice your organisation can use to improve password security.
*Read Cyberangels' password policy and put it into practice, and implement a password manager to increase your level of protection.
Make sure you use secure passwords
*How do they discover your passwords?
The creation and management of passwords is still a critical issue in many realities. Using a password that is easy to guess makes you more vulnerable to hacker attacks.
How? By following a few simple steps:
Target identification: reconnaissance of the publicly exposed assets of the company or individual (social media, website, etc.). In this phase, language and thought patterns are sought. Programmes such as scraping are often used to create dictionaries of costum passwords based on these patterns.
Attempts with the most common passwords:** entire datasets of common passwords exist that are easy to find and, contrary to what one might think, do not only include passwords, such as 123456, admin or the word password itself. Instead, these libraries derive from collections of databreaks that have taken place over the years, and furthermore allow other software to apply permutations to words so as to bypass even the complexity given by character sets (James à James105 à James?_56, etc.);
Brute force attacks: some programmes use the dictionaries identified in the previous steps against the account to be hacked (testing hundreds of thousands of possible options) until access is obtained
Use different passwords for each account
Once hackers have discovered the username and password of one account, they can easily try these credentials in all other accounts of the same user (this type of attack is called password spraying and is fully automatable with software and bots).
If you have recycled credentials, that is, if you have used the same username and password for other sites or services, the attackers will have found the access key to all your accounts that share these same credentials.
Don't change your passwords too frequently
The dogma of changing passwords every 3 to 6 months has fallen: in 2017, the author, Bill Burr (who worked at NIST in 2003, and who contributed to the publication of NIST SP 800-63 Appendix A, which contained advice on how to choose an effective password), "apologised" to users because "the requirement to change passwords frequently does not serve to guarantee password security". On the contrary, according to Burr, if users have to change their passwords frequently, they will end up choosing a simple and repetitive one. Dozens of subsequent research studies show that the more often someone is asked to change their password, the weaker the passwords they choose (perhaps by substituting a character at the end).
So: let's choose a password only once, but one that is strong.
Make sure (where available) that you have enabled multi-factor authentication
Two-factor authentication (2FA) or multi-factor authentication is a secure authentication method for computer systems and platforms and consists of using two methods instead of one, e.g. entering a password and scanning a fingerprint. Two-factor authentication effectively protects accounts because it adds an extra layer of security, making it more difficult for hackers and unauthorised users to gain access.
Two-factor authentication
To access a protected system, the user must identify and authenticate. Usually, identification consists of entering one's username, while authentication is the step where the user proves his or her identity, for instance by entering a password that only he or she can know.
Over time, hackers and criminals have evolved and the standard authentication system is no longer sufficient to effectively protect accounts. This is why the concept of multi-factor aauthentication (MFA) was invented, which involves the use of multiple factors during authentication. These factors can be of three types:
Something you know, e.g. a password
Something you have, e.g. a smartcard or other authentication device
One thing you are, e.g. fingerprint or facial recognition
Two-factor authentication is a method that combines the use of two factors of different categories. For example, a two-factor authentication process is the unlocking of the phone immediately after switching it on, where the user:
Enters the PIN (something you know)
Makes a scan of their fingerprint (something you are)
This protects the system with two layers of security instead of one and reduces the risk of unauthorised access.
Updates company network passwords by following the practices suggested by Cyberangels
Why is it important to protect electronic devices with complex passwords?
Every service we use on the Net; e-mail, online banking, social networks, require the use of a password which, combined with the chosen username, allows you to protect your information from unauthorised access.
The problem of passwords arises when one has to create numerous accounts for work and leisure.
However much our minds may be trained to remember if we consider that an average user has about 5/10 accounts and that passwords, by their very nature and for our security, must be changed every 3 months on average, it begins to be difficult to keep track and remember them.
It is therefore important to keep track of them, but even more important is how to create a secure enough password.
The passwords that are easiest to hack are obviously those based on simple words, e.g. your name or that of a family member, your date of birth, the name of your pet, or your favourite city or holiday resort, and it is a good idea to change them immediately.
This information can be found very simply by consulting a user's profile on Facebook or another social network.
A careless user, by publicly disclosing information about his private life or interests, can unwittingly facilitate attacks by cyber attackers looking for sensitive data.
What is the best strategy to generate a 'virtually impregnable' password?
There is no such thing, but we can try to make passwords more secure but above all less intuitive.
The best approach is to produce a password containing a mixture of alphanumeric characters (upper and lower case letters and numbers) and possibly also symbols or special characters (e.g. "#", "%" or "!").
Each password should be a complex sequence of letters and numbers, at least eight characters long, preferably 12.
A password becomes more secure the greater the number of characters it contains and the more diverse their type.
How to create passwords that are secure enough?
Do not just use words or numbers
E.g. Paolo Rossi born 23/03/1970
Paolo23, Rospao70, 23370paoross, etc. all unsafe passwords
Don't use common words
E.g. (flower lovers) Dalia1, Camelia18 etc.
Do not use personal information
(art lovers) sunflowers, kiss, venus or summer91, pariswinter etc.
Do not use words in another language or character.
(mathematicians)112358 (linguists) концентриран
Don't use given names or information of historical and/or famous people.
Pirandello36, totò89, noncirestachepiangere, rocky etc.
Don't use words backwards
Ereilavac, Ottag, Orebla etc.
Don't use the same password (however secure it may be) on multiple accounts.
This is because, in the event of a breach of an account, it is always possible to try to protect the rest of our data.
Don't use words of things we don't like or don't love.
Words related to our experience are easy to guess.
Why acquire and purchase password management software?
A password manager is software that allows users to store their authentication credentials to sites and services in an encrypted repository, a digital 'safe'.
A password manager stores all passwords in an encrypted archive, protected by a single master password, and provides them to us when we need them. We can therefore have long and strong passwords, different for each site and service, but we only have to remember the one we need to access the 'safe' where they are stored. A big step forward compared to post-it notes stuck to the monitor.
But be careful: the master password must itself be very strong and secret and we must not forget it: it is usually not recoverable and without it we will no longer have access to the archive.
We must keep one important thing in mind: a password manager is a useful tool that helps us in day-to-day management, but it must be added to a solid all-round security policy that, with the progressive digitisation of lifestyles, everyone must implement, taking the necessary precautions, such as two-factor authentication (both for services and for the password archive itself) and so on.
In addition to the basic feature of keeping all the user's credentials stored in one place, a password manager usually also offers additional features that simplify both the management of passwords (e.g. automatic generation, creation, modification and deletion, organisation and search, and so on) and their use (e.g. automatic form filling, integration with other apps and sites, synchronisation between various devices, and so on).