In today’s Security Essentials post, we’ll be discussing one of the most fundamental elements of security that every organization could stand to improve upon to strengthen their overall security posture. Of course, we’re talking about passwords and password requirements.
We know that passwords are beneficial in preventing threat actors from compromising user accounts. But does this mean that people know what a strong password is? Not necessarily.
To begin, we should examine some of the common criteria for passwords and see how added requirements can increase the complexity of the password and result in a stronger, more secure password.
Provided in the table below is a depiction of how long it would take for a threat actor to successfully identify all potential credential combinations based on the minimum character requirement and additional complexity requirements enforced by an organization. The more time it takes to crack, the more secure a password is.
As technology continuously evolves, so does a threat actor’s ability to crack passwords in shorter periods of time. It is critical to consistently adapt password requirements to a consistently changing threat landscape.
The duration of time noted in this table does not indicate how long it would take for a threat actor to successfully identify valid credentials within a network. Individuals will often create weak passwords that are easy to remember and are more likely to be identified by a threat actor attempting to crack their password.
As an example, an organization that requires a 10-character minimum for passwords and enforces numbers, upper and lowercase letters, and symbols would allow for a user to create a password like Summer2023!, which could easily be cracked by a threat actor despite the chart suggesting it would take 5 years to enumerate all potential passwords. Industry leading practices dictate that network administrators require users to create passphrases or create non-dictionary-based passwords.
Now that we’ve considered this chart and what we already knew about passwords, the picture starts to become a bit clearer. Not only do organizations need to require longer passwords with adequate complexity requirements, measures must be taken to prevent people from choosing these commons passphrases or dictionary words to maintain security.
We all laugh at the concept of a person using Password123! As their password, but the fact of the matter is that people do it. That’s why some manner of prevention for this type of password is crucial. One potential solution is ensuring that dictionary-based passwords cannot be generated, as this will require users to create unique phrases that cannot be easily guessed.
It’s also important for organizations to remind their members of other important password tips to maintain a secure environment. For example, never reusing passwords. If my password for company resources is the same as my password for my personal accounts, this can pose a substantial risk.
If those personal credentials are ever leaked, an attacker trying to compromise my company account will likely check online for any leaked credentials featuring my name. If I’m reusing the password from a leaked personal account for my company account, I’ll be easily compromised.
As such, organizations should make sure their members are aware of this also. A strong and complex password is not only long, it’s not only complex, it’s not only random, but also unique. If we do all of these things, we stand a much better chance at keeping our accounts safe from prying eyes.