Passwords represent one of the most basic and ubiquitous forms of cybersecurity. Virtually everyone who has gone online or accessed a computer system at work is familiar with the practice of creating a user ID and password. We’ve probably all had the experience of forgetting our password and having to recreate it.
Users are responsible for protecting their credentials to prevent unauthorized access to a given system, application, or account. An often neglected aspect of this responsibility is the creation of strong passwords that are difficult or impossible to hack. Strong passwords are necessary to protect your accounts from being compromised by internal or external threat actors. The focus of this article is how to create these types of secure passwords.
The Dangers of Weak Passwords
Weak passwords make it easier for threat actors to compromise credentials and gain unauthorized access to an organization’s IT environment. Statistics indicate that IT leaders across the world understand the problem of weak passwords and are concerned about how it affects their computing resources. It is estimated that up to 80% of data breaches are the result of compromised credentials. Weak passwords directly contribute to this problem and have been responsible for multiple impactful data breaches including. Examples include a 2023 exploit of default passwords at LogicMonitor and an attack leveraging easily guessed passwords at FastCompany.
What Constitutes a Strong Password?
What constitutes a strong password? According to Microsoft, a strong password should exhibit these characteristics:
- Be at least 12 characters long with 14 being recommended;
- Use a combination of uppercase letters, lowercase letters, numbers, and symbols;
- Avoid dictionary words or the names of persons or products;
- Be different from previous passwords;
- Be easy for you to remember but difficult for others to guess.
Longer passwords take longer to crack by brute force methods which is why 14 or more characters are recommended for better security.
Common Password Problems
The need to create and use passwords to access potentially valuable and sensitive information leads to some common problems that mitigate their effectiveness. Your passwords need to be difficult for both external hackers and colleagues or business associates to compromise.
Users should be aware of the following issues when creating and using passwords.
- Don’t use weak passwords that are easy to guess. For example, stay away from common words, pet names, and birthdays.
- Don’t use short passwords. Longer passwords are harder to crack using the brute force methods favored by hackers.
- Use unique passwords for different accounts. This approach avoids putting multiple accounts at risk if credentials are compromised.
- Don’t share passwords with colleagues. Co-workers should use their credentials to maintain audit logs and monitor account activity.
- Don’t store passwords insecurely. Avoid writing down a complex password where it can easily be discovered and used by others.
- Don’t ignore multi-factor authentication (MFA). Utilize MFA whenever possible to protect your accounts from compromised credentials.
- Passwords should be regularly updated and changed. Credentials for important accounts need to be changed at regular intervals and whenever there is the potential they have been compromised.
- Don’t use personal information as part of a password. Keep away from your year of birth or birthday and use random number sequences for improved security.
Creating a Strong and Unhackable Password
The following suggestions should be taken as a guideline to help users create strong passwords that are very hard to hack.
A minimum of eight characters should always be used. It is far better to use at least 14 as recommended by Microsoft. The time required to hack the password increases exponentially as more characters are added to increase its length. While it may be harder to remember longer passwords, they offer a level of protection that should not be ignored.
Use a mix of character types to create strong and complex passwords that are hard to hack. Include a random mix of lower and upper case letters, numbers, and special characters when creating your passwords. Some systems restrict the use of certain special characters, so be sure to stay within the account’s guidelines.
Replace nouns with numbers or special characters to randomize your passwords. For example, replace the characters in Security and you have S3c#r1ty. Which is harder to guess? Vary your strategy to avoid using the same replacement characters in all your passwords.
Avoid family names and common words in your passwords. Individuals who possess information about you and your family may be able to leverage the knowledge to guess your password. Using common words also makes it easy for a motivated individual to crack your passwords.
Explore using a passphrase instead of a password to protect your IT resources. Using the same mix of characters and symbols to disguise the words, use phrases that are meaningful to you. You need to take care regarding systems that don’t accept spaces in a password, so you should probably avoid their use. For example, use the phrase ”This is the way in” this way: Th1s1sth3w9y1n. A long passphrase addresses both the length and complexity aspects of creating strong passwords.
Consider using a password manager application to create new and complex passwords that are virtually impossible to crack. These applications typically generate long sequences of random characters. There is a trade-off in that these complex passwords are hard to memorize and usually require using a password saver, but the enhanced security may be worth it to some users.
Implement two-factor authentication to improve security by insisting on a second form of authentication in addition to a password. A common authentication method is to send a code to your phone or mobile device. This approach mitigates the dangers of compromised credentials by requiring an additional form of authentication.
XDR as a Safety Net for Compromised Passwords
Despite the best efforts at creating strong and unhackable passwords, there is always a possibility that they can be compromised in some way. An unsuspecting user may fall victim to a phishing attack and disclose their credentials. Malicious keyloggers can lurk quietly in the infrastructure and capture user input to steal passwords.
An extended detection and response (XDR) platform serves as a safety net for your IT environment if passwords are used by unauthorized entities to gain access to your network.
Samurai XDR offers customers multiple benefits that result in enhanced security and protection in the eventuality of compromised credentials. It is a cost-efficient solution that integrates with your existing cyber defenses to reduce the risk of dangers such as ransomware and data exfiltration.
- The XDR platform deploys advanced analytics and machine learning to identify and respond to anomalous behavior that may result from compromised credentials.
- The solution identifies the subtle lateral movements across an IT environment that may be signs of advanced persistent threats (APTs) searching for valuable targets.
- Samurai leverages threat intelligence to help you stay abreast of emerging threats that represent a risk to your organization. Awareness of new techniques used by threat actors improves your ability to defend against them.
- The platform consolidates threat information from across the environment to streamline cybersecurity management and maintain security.
The addition of XDR to your cybersecurity stack will provide enhanced protection if your attempts at controlling incursions with unhackable passwords are subverted by sophisticated cybercriminals. Take advantage of our new Starter Plan and see how XDR improves your cybersecurity posture.
Featured articles
How to Build a Resilient Cybersecurity Strategy for MSPs
26 September 2024 | Webinars
In today's rapidly evolving threat landscape, MSPs are on the front lines of cybersecurity. As threats become more sophisticated, MSPs...
MSP Blueprint: Proactive Threat Hunting with XDR for Enhanced Cybersecurity
12 September 2024 | Cybersecurity 101
This article explores how Managed Service Providers (MSPs) can leverage Extended Detection and Response (XDR) to enhance proactive cyber threat...
The Importance of XDR for Regulatory Compliance
5 September 2024 | XDR
The SEC's 2024 cybersecurity disclosure rules mandate public companies to disclose incidents and detail their risk management strategies. Even non-public...