Definition of Strong: “powerful and difficult to resist or defeat”
Definition of Secure: “certain to remain safe and unthreatened”
With October being the National CyberSecurity Awareness month, there are many IT Security recommendations on how to stay safe online, to protect what you connect, and to lock down your login. One of the key questions when securing your point of entry on any platform or across any account, is how strong is your password? Typical obligatory requirements are to ensure a long and unique combination of characters, numbers, and symbols to prevent your password from being cracked, but in reality, how do you know if your password is secure?
Is being strong better than being secure?
Have you ever attempted to see the ‘strength’ validity of your password across the broad spectrum of digital password meters available and successfully come up with the same answer for all of them? There are many password meters like The Password Meter available online which provide you with the advice as to whether your password is weak or strong but they do not inform you as to whether that password has been previously breached. These meters and password checkers can reassure you that your password will take over a nonillion years to be deciphered but they don’t tell you that the password has already been compromised proving that these tools actually hold very little value for modern password policies.
Many password strength tools will tell you that “Pa55w0rd” is actually a strong password, and “Pa55w0rd!” is very strong, when in reality we can easily see that neither are very good in practice. Similarly in a recent Twitter challenge, somebody created the strong password “JZpq7rz2pA” and posted its SHA256 hash and to see who could crack it. Various strength tools from big brands including Kaspersky and my1login estimated that it would take 12 days, 7 months, 3 years, 4 years, and 10 million years to crack. They were all wrong in the end as it took a community of hobbyists only 5.5 days to crack.
“No matter how long and strong your passphrase is, a breach is always possible. Make it harder for cybercriminals to access your account by enabling multi-factor authentication. #BeCyberSmart” – NCSA (National CyberSecurity Alliance)
Passwords are generally the weak link and the more complicated the password, as strong as it is perceived, becomes too much for the human brain to remember. Individuals are expected to create strong, secure passwords, not to share them and change them regularly as common practice.
What should I do instead?
No matter how complex or strong a password is, once it has been breached through sharing, hash attack, brute-forcing, or Phishing it is no longer secure. A password by definition is a shared secret, however, if it has been shared too much it is no longer a secret and should not be used.
Organizations should comply with regulatory bodies including NIST 800-63B standards which offer password policies and official guidance. Contrary to what password meters do, NIST advise that passwords should NOT be formula-based:
“Length and complexity requirements significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate-limiting are more effective at preventing modern brute-force attacks.”
In contrast, they recommend having a passphrases based policy that is simpler to use for humans beings and doesn’t change on a schedule. This is counter-intuitive to the legacy “strength” dogma but the security of the guidance comes from the requirement to check all passwords against a comprehensive list of known breached passwords. That way any password that is no longer a secret, no matter how “weak” or “strong” can no longer be used.
How can I implement secure passwords instead of strong passwords?
Authlogics provide a simple but robust Password Security Management solution that complies with NIST, NCSC, CMMC, GDPR, and other digital identity guidelines. It uses a combination of custom blacklists, rules engine, heuristic scanning, and the Password Breach Database to reject weak and known breached passwords. The PSM can also detect and protect against shared passwords, raising automatic alerts and remediating Active Directory user accounts by forcing a change at login or disabling the account.
The End User has the power to manage their own account through the Self Service Portal, resetting their own passwords and unlocking their account in the situation where passwords are breached, therefore reducing the reliance on helpdesks and increasing users productivity. The portal focuses on the compliance status of the password against the policy and not the “strength”. Resetting passwords is further secured with the built-in One Time Code protection as standard.
Simplify your password policies, reduce your helpdesk costs, and avoid complex ever-changing password requirements that are focused on strength rather than security.
“Choosing a hard-to-guess, but easy-to-remember password is important!”
Author: Kevin Mitnick
Ditch the password strength meters and check if your password has been breached in our continuously updated Password Breach Database which holds over 2 billion breached credentials and 520 million clear text passwords.
Talk to the Authlogics Technical team to find out how SECURE your passwords are.
+44 1344 568900 | email@example.com