Let’s face it, it’s officially 2019. Strike up the band. Sky is blue. Grass in green. And passwords blow. No one likes passwords.
Workers don’t like picking them. Companies don’t like constantly trying to secure them. Security folks don’t like defending them. And the Government keeps talking about replacing them.
So in short, passwords? Well passwords…to reiterate…Passwords. Just. Plain. Suck.
But before you go out and stand in that Government cheese line called ‘federated identity’, hang on to your loaves of bread and microwave-ready, low-carb riced, gluten-free wheat flour, free-range meatless, non-GMO growth-hormone loaded, organically synthetic, free-trade conglomerate “power” meals as passwords are here to stay. At least for the foreseeable future.
So now that that revelation has bowled absolutely no one over anywhere, what’s the news? Good or otherwise? The news is you still need to pay attention. [Cue dramatic cymbal crash.] No, not to the same year-over-year drudged up advice from the security community about choosing passwords that are more than eight characters long, that contain numbers and letters as well as special characters, and all that other tired-ass rigmarole. Sure it’s still somewhat relevant in 2019 and potentially good advice in general. But if you haven’t listened the first 1000 times it was mentioned, there’s a slight chance 1001 isn’t going to make a lickety-split of difference. No, what you need to pay attention to is the following. Ready, here comes the underline for emphasis:
DO these five things in the new year to quell the tide of data breaches. Or more succinctly, and more in terms of reality, just try applying these as they make sense.
- Stop ending your passwords with the number one. They are nine other number keys, pick one (no pun intended). For the password-challenged – no, there are no bonus points or “originality” awards for hitting the shift key – passwords that end in exclamation points are almost as bad.
- Stop using leet in your passwords. Leet also known as eleet or leetspeak is a system of modified spellings of dictionary words primarily used on the internet. Yes, you read that right, on the internet. When was the last time anything was ever private on the internet? Yup, s3cr3t is no more secret than cl4nd3st1ne is. This practice was tired in the ‘00s, it’s even more so now.
- Stop using keyboard patterns. This includes that age-old standby – qwerty – along with all the new classics, like 1qaz2wsc and 1z=/bn. Why shouldn’t you be using patterns? There’s this little idea going around called the infinite monkey theorem. Check it out. Not to mention humans are also inherently adept at identifying patterns.
- Stop broadcasting every facet of your life online. Especially if you use that data in your password. Confused? Let’s use a great example. CEOs love, love, love using their spouse’s names and marriage year for their passwords. They absolutely love it. Trust me, as a penetration tester, I have more evidence to support this claim than not. That being said, what do almost all CEOs have in common besides this? Their bios are online. Generally, based on this, it’s not too difficult to confirm or track down marriage dates and spousal names if not already listed. Okay, so you’re not a CEO and this doesn’t apply. Then ask yourself this – is your current password made up of any combination of work, school, family or hobbies/activities you like to do? If not, great. If so, keeping reading. If it does contain one or more of those categories – how prevalent is your online profile and does it contain any of this information? No? Good. What about your spouse? Your children? Yeah, it’s like that gift that keeps on giving, and it gets muddy really quickly. Watch what you post, it really is forever.
- Stop choosing six character passwords. We’ve just gotten to the point computationally where six character passwords are an absolute joke and offer almost no security. We’re just to the left of the ‘why bother’ ticker on the password evolutionary scale. There’s nothing clever, cute, or sophisticated in gaming the system by using a six character password. Be brighter than your employer, especially if they allow these weak passwords. The same goes for the application of faulty logic. A password of !1q!1q is not a wonderful password, even if it does satisfy your company’s password complexity rules.
In closing, there’s absolutely nothing in or to the above that is going to prevent data breaches or guarantee you or your employer won’t get hacked or compromised. Two great online resources for checking on the latter are: haveibeenpwned.com and dehashed.com. But with all humor attempts and joking aside now, following the above will help to curtail a rather nasty trend we as penetration testers are seeing right now across multiple industry sectors. So until such time as passwords really are a thing of the past, please apply common sense to every password creation and selection choice you make. It can help to keep those old password acquaintances ‘forgot’, at least for a little while longer in the new year.