The rationale behind password policies.

You’ve been told a thousand times already. Not to use poorly conceived passwords and to ensure your password is both unique and sufficiently complex for every service you use. If you haven’t, then there’s plenty of good advice out there.

The two guides linked to above are very useful. However, nine times out of ten both online and corporate password policy documents usually only really set out password requirements. Never rarely, the rationale behind it. Nor do they give you the tools or guidance on how to manage your passwords correctly. Which inevitably results in some people ignoring the policy due to the inconvenience. Simply writing it down passwords, if faced with particularly aggressive requirements. Or just simply reusing an existing password or a derivation thereof.

If you’ve been reusing your password or creating derivations of your password. For example, slowly incrementing a number at the end of your favourite football team over the years, the chances are someone has it.

There are vast databases of email addresses and password combinations in the billions. Available online, either for free or paid. These lists have been curated over the last decade from high profile hacks such as Linkedin. Or from countless smaller websites (still hosting thousands of users) with poor security.

  • haveibeenpwned.com
    ~10GB of passwords. Provides tools to check if your password or email address has appeared in a data breach. Check it out. You’ll be surprised.

Attackers can use these password lists to compromise your account on other websites using the same email address and credentials. Or based on the complexity of your password, determined by a number of entries. Can try to derive (with some success) what your password might now be.

If you’ve read that and you’re thinking it’ll never happen to me. It’ll happen eventually. Hackers will always start off with the low hanging fruit (easy targets). Over time and as technology and the techniques used advance. They’ll be able to access more and more accounts that have been tied up by their data breaches.

It’s now easier than ever to compromise someone's account. There is so much information out there on social media and through data leaks. Hackers have a lot of data to work with and the tools to automate it at scale.

Why bother? Because it’s never a problem until it’s your problem. Trying to get your account back via a company’s support channels is usually a nightmare, having to prove you are indeed the owner. Having to do that for multiple accounts and you’ll end up losing a few days. That’s not even taking into account having to unwind any damage they’ve done in the process.

But I can’t remember all these different passwords!

Password managers are designed to securely store all your passwords in one place. Securely generating random and complex passwords every time you need one. Some provide a plugin for your web browser to make the login processes more convenient. Albeit, most modern web browsers now come with a password manager built in. Password manages to make it super easy and convenient to have a password for every website. In the event, your password gets compromised some will even warn you.

The problem, however, is that you’re entrusting a service or application with all your passwords. Should someone gain access to your computer whether you’ve lent it, or your machine becomes compromised online. It becomes rather trivial to gain access to the entire password database. Making things easier these passwords manages usually record where the passwords can be used. Making it all the easier for an attacker. Handy.

Whilst they’re better than not having a password manager and provide the added benefit of being able to securely share passwords and secrets. They’re still a huge single point of failure. They’ve painted a huge target on their back for hackers and governments, to gain access to individuals and organisations secrets. Not to mention the risk of an employee doing something to degrade either the security of password being generated or stored.

These are typically USB devices that can be attached to your computer which house a TPM (Tamper proof module) similar to a SIM card or the EMV chip on your debit or credit card. This chip encapsulates a key used to encrypt and decrypt your passwords.

The device typically comes with software to manage your passwords stored on the device. Plugins for web browsers will allow for the automatic entry of passwords online. Each time a password is requested from the system. You’ll have to press a button on the device to allow your computer to retrieve the password. This prevents any malware from accessing all of your secrets. Physical password managers give you a lot of control over the security of the device.

A popular method for protecting your accounts from compromise online is 2FA. When logging in to a service, 2FA provides the second challenge of authentication. Usually in the form of a pin derived from a pre-shared key and the current time of day. Banks provide these in the form of mini-keypads. A growing number of websites are employing this security feature through various mobile apps or as an SMS text message. Which you then enter back into the website. This prevents an attacker from gaining access to your online account even if they have your password.

If you have the option between SMS or the Google authenticator or another type of application that isn’t cloud-based. I’d recommend using the Google authentication or another offline application. There is a great post by Kraken on why SMS 2FA is a bad idea.

Hopefully, we’ve been able to provide some context as to why password policies exist and the steps you can take to better manage your security online.

Consequently, those providing password policies, we think should provide more of a rationale. To help educate users as to how hackers are using freely available data online to compromise individuals online and corporate accounts.

Real-time security and compliance delivered.