Authlogics Authlogics
  • Solutions
    • Password Security Auditing
    • Password Policy Compliance
    • Password Breach Database
    • Deviceless OTP
    • Single Sign-On
    • Cloud Protection
      • Amazon Web Services
      • Azure and Office 365
    • Helpdesks
    • Retail Banking
    • Transaction Verification
  • Products
    • Password Security Management
    • Multi-Factor Authentication
      • Authenticator Mobile App
      • PINgrid
      • PINphrase
      • PINpass
      • Yubikey
    • System Agents
      • ADFS Agent
      • Domain Controller Agent
      • Exchange Agent
      • Remote Desktop Agent
      • Windows Desktop Logon Agent
  • Resources
    • Demonstration
    • Whitepapers
    • Datasheets
    • Case Studies
    • Use Cases
    • Pricing
    • Blog
    • UK Government: G-Cloud
  • Partners
    • Find a Reseller
    • Find a Distributor
    • Technology Partners
    • Become a partner
    • Password Security Portal
  • Company
    • Contact Us
    • Intellectual Property
    • About Us
  • Support
    • Downloads
    • Documentation
    • Knowledge Base
    • Community
    • Log a call
Authlogics Authlogics
  • Solutions
    • Password Security Auditing
    • Password Policy Compliance
    • Password Breach Database
    • Deviceless OTP
    • Single Sign-On
    • Cloud Protection
      • Amazon Web Services
      • Azure and Office 365
    • Helpdesks
    • Retail Banking
    • Transaction Verification
  • Products
    • Password Security Management
    • Multi-Factor Authentication
      • Authenticator Mobile App
      • PINgrid
      • PINphrase
      • PINpass
      • Yubikey
    • System Agents
      • ADFS Agent
      • Domain Controller Agent
      • Exchange Agent
      • Remote Desktop Agent
      • Windows Desktop Logon Agent
  • Resources
    • Demonstration
    • Whitepapers
    • Datasheets
    • Case Studies
    • Use Cases
    • Pricing
    • Blog
    • UK Government: G-Cloud
  • Partners
    • Find a Reseller
    • Find a Distributor
    • Technology Partners
    • Become a partner
    • Password Security Portal
  • Company
    • Contact Us
    • Intellectual Property
    • About Us
  • Support
    • Downloads
    • Documentation
    • Knowledge Base
    • Community
    • Log a call
Strong Password versus Secure Password

Your password may be strong but is it secure?

Kate Wotherspoonon 13th October 2020
Definition of Strong: “powerful and difficult to resist or defeat”
Definition of Secure: “certain to remain safe and unthreatened”

 

With October being the National CyberSecurity Awareness month, there are many IT Security recommendations on how to stay safe online, to protect what you connect, and to lock down your login.  One of the key questions when securing your point of entry on any platform or across any account, is how strong is your password?  Typical obligatory requirements are to ensure a long and unique combination of characters, numbers, and symbols to prevent your password from being cracked, but in reality, how do you know if your password is secure?

Is being strong better than being secure?

Have you ever attempted to see the ‘strength’ validity of your password across the broad spectrum of digital password meters available and successfully come up with the same answer for all of them?  There are many password meters like The Password Meter available online which provide you with the advice as to whether your password is weak or strong but they do not inform you as to whether that password has been previously breached. These meters and password checkers can reassure you that your password will take over a nonillion years to be deciphered but they don’t tell you that the password has already been compromised proving that these tools actually hold very little value for modern password policies.

Password Secure Meter

Many password strength tools will tell you that “Pa55w0rd” is actually a strong password, and “Pa55w0rd!” is very strong, when in reality we can easily see that neither are very good in practice. Similarly in a recent Twitter challenge, somebody created the strong password “JZpq7rz2pA” and posted its SHA256 hash and to see who could crack it. Various strength tools from big brands including Kaspersky and my1login estimated that it would take 12 days, 7 months, 3 years, 4 years, and 10 million years to crack. They were all wrong in the end as it took a community of hobbyists only 5.5 days to crack.

“No matter how long and strong your passphrase is, a breach is always possible. Make it harder for cybercriminals to access your account by enabling multi-factor authentication. #BeCyberSmart” – NCSA (National CyberSecurity Alliance)

 

Passwords are generally the weak link and the more complicated the password, as strong as it is perceived, becomes too much for the human brain to remember.  Individuals are expected to create strong, secure passwords, not to share them and change them regularly as common practice.

What should I do instead?

No matter how complex or strong a password is, once it has been breached through sharing, hash attack, brute-forcing, or Phishing it is no longer secure. A password by definition is a shared secret, however, if it has been shared too much it is no longer a secret and should not be used.

Organizations should comply with regulatory bodies including NIST 800-63B standards which offer password policies and official guidance.  Contrary to what password meters do, NIST advise that passwords should NOT be formula-based:

“Length and complexity requirements significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate-limiting are more effective at preventing modern brute-force attacks.”

In contrast, they recommend having a passphrases based policy that is simpler to use for humans beings and doesn’t change on a schedule. This is counter-intuitive to the legacy “strength” dogma but the security of the guidance comes from the requirement to check all passwords against a comprehensive list of known breached passwords. That way any password that is no longer a secret, no matter how “weak” or “strong” can no longer be used.

How can I implement secure passwords instead of strong passwords?

Authlogics provide a simple but robust Password Security Management solution that complies with NIST, NCSC, CMMC, GDPR, and other digital identity guidelines.  It uses a combination of custom blacklists, rules engine, heuristic scanning, and the Password Breach Database to reject weak and known breached passwords.  The PSM can also detect and protect against shared passwords, raising automatic alerts and remediating Active Directory user accounts by forcing a change at login or disabling the account.

The End User has the power to manage their own account through the Self Service Portal, resetting their own passwords and unlocking their account in the situation where passwords are breached, therefore reducing the reliance on helpdesks and increasing users productivity.  The portal focuses on the compliance status of the password against the policy and not the “strength”. Resetting passwords is further secured with the built-in One Time Code protection as standard.

Simplify your password policies, reduce your helpdesk costs, and avoid complex ever-changing password requirements that are focused on strength rather than security.

“Choosing a hard-to-guess, but easy-to-remember password is important!”
Author: Kevin Mitnick

Ditch the password strength meters and check if your password has been breached in our continuously updated Password Breach Database which holds over 2 billion breached credentials and 520 million clear text passwords.

Talk to the Authlogics Technical team to find out how SECURE your passwords are.

+44 1344 568900  |  technical@authlogics.com

 

 

 

in Authentication, Business, Compliance, Customer Experience, Password, Password Replacement, Remote Working, Security

Leave a Reply Cancel reply

  • Previous

    Can you afford NOT to comply?

  • Next

    Read all about it – your ‘Audit’ here!

Recent Posts

  • Reflection & Prediction
  • Analyzing the Cit0day breach
  • Read all about it – your ‘Audit’ here!
  • Your password may be strong but is it secure?
  • Can you afford NOT to comply?

Recent Comments

  • Authlogic Password Security Management Offer with CyberWhite - CyberWhite on Multi-Factor Authentication
  • Authlogic Password Security Management Offer with CyberWhite - CyberWhite on Password Security Auditing
  • Authlogic Password Security Management Offer with CyberWhite - CyberWhite on Password Security Management
  • Weekly Update 216 | Spyware.ws on Corporate Password Security with Troy Hunt
  • Weekly Update 216 | AdwareSearch.com on Corporate Password Security with Troy Hunt

Archives

  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • May 2020
  • April 2020
  • February 2020
  • January 2020
  • December 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • January 2019
  • September 2018
  • January 2018
  • October 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015

Categories

  • Authentication
  • Business
  • Compliance
  • Customer Experience
  • Data Breach
  • Download
  • Implementation
  • Management
  • Marketing
  • Multi Factor Authentication
  • Password
  • Password Replacement
  • PIN
  • Remote Working
  • Security
  • Strategy
  • Uncategorised

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Contact us

UK: +44 1344 568 900
US: +1 408 706 2866

sales@authlogics.com
info@authlogics.com

Visit us

Access Office Suites, Willoughby Road,
Bracknell, Berkshire, RG12 8FP, UK

Map it »

1551 McCarthy Blvd, Suite 215,
Milpitas, CA, 95035, US

Map it »

Follow on

Legal information

Privacy Policy
© Authlogics Ltd. All Rights Reserved.