Practical Security: Passwords
We're pleased to present the first in a series of practical security posts for our policyholders. Despite an explosion of cybersecurity buzzwords ranging from anomaly detection to next generation anti-virus, our claims data and experience reveal that simple security measures are often the most effective. This week we turn our focus to password security.
Most computer systems rely on passwords, and all the cybersecurity in the world won't help you if someone knows or guesses your password.
Advice for all businesses
As an employee or business owner, you likely use passwords for everything from email to payroll to CRM systems. In many cases, a hacker can ruin your business just by guessing your password to one of these systems and cutting themselves a healthy check or mocking up a fraudulent invoice. Accordingly, it is imperative that you protect the passwords that protect your business.
Fortunately, good password practices are pretty simple:
Don't re-use passwords. Many people use the same password for dozens of services, from their local newspaper subscription to their bank account. Hackers know this, and actively go after easy targets, just to get passwords they can use for higher-value targets. Chances are good that some of your passwords are already floating around the seedy parts of the internet; if in doubt, you can check your email against a large collection of breached records through a service called HaveIBeenPwned ("pwned" is hacker slang for being successfully attacked).
Use strong passwords. It is extremely easy for a hacker to write a program that tries to guess your password 1,000 or even 1,000,000 times per second. That means a hacker can easily try every word in the dictionary, every city, state, person or team name, and every possible birthday or anniversary. You may have been told to use a mix of capital and lower-case letters, numbers and symbols. In practice, most people will change "o"s to "0"s or add a "1" or an "!" to the end of their password. This will not save you; hackers will guess that too. Instead, you should use a randomly generated password or a passphrase, a string of random words like "correcthorsebatterystaple", which would take a hacker roughly 1,000,000,000,000,000,000 tries to guess. Not to mention, passwords like this are a whole lot easier to remember!
Following these rules might sound like a pain, but it can be even easier than remembering your current passwords, thanks to password managers. Password managers are programs that keep track of your different accounts and passwords for you, usually protected by a single, strong password, and only accessible from your computer or your other devices. There are several different kinds of password managers:
Some web browsers, such as Chrome, Firefox and Safari, have built-in password managers which you can sync between devices by signing into your Google, Firefox or iCloud accounts, respectively (although Firefox will not sync with Android phones).
Microsoft Edge and some operating systems let you save passwords on your computer, although they do not sync between devices.
Online services like LastPass, 1Password, and Dashlane allow you to manage all your passwords across devices with a single account, and often offer additional features like encrypted note-taking.
Advice for businesses that manage user accounts (and passwords)
If your users create accounts with you, this opens you up to potentially significant security issues and liability if you do not take precautions against account hijacking.
There are a few principles you should adhere to in order to mitigate the risk of handling and storing passwords:
Never store passwords. One of the bedrocks of modern cybersecurity is password hashing, the use of clever algorithms which create "hashes" from passwords that can be stored and used to verify a user's password, but can't themselves be used to discern the password. A hash is sort of like a fingerprint; if you store someone's fingerprint you can verify their identity by asking for it again, but unless they can manufacture a fake thumb, someone with a copy of their fingerprint can't impersonate them. Hashing passwords means that, even if an attacker gets access to your database of usernames and passwords, they can't just log in as those users. Most modern web frameworks, such as Django or Ruby on Rails, will handle this for you, but it is important to check that your framework supports hashing and that you've enabled it (if applicable).
Require strong passwords. A weak password renders all other protections useless. You should give your users the same advice we've given you when choosing a password. Better yet, you should not allow them to set a weak password. Don't require numbers or special characters; do check their password against lists of common passwords or dictionary words and make sure it's not a simple variant on one. There are several software libraries which will check how strong a password is for you; at Coalition we use DropBox's zxcvbn. Additionally, don't require users to change passwords periodically, since this encourages weak passwords.
Limit log-in attempts. Even with strong password requirements, some guessable passwords will probably fall through the cracks. You can make guessing passwords much less successful by limiting log-in attempts. There are two ways to do this: either limit the number of attempts that can be made per minute/hour/day, or after some number of incorrect attempts, lock the account and tell the user to contact support. The second method offers more protection, but also means that a hacker or prankster can lock anyone out of their account, so the first method is usually preferred.
Taking these basic precautions, or requiring them of your users, requires little effort, but provides enormous returns.
Finally, don't forget that Coalition policyholders can also make use of our Compromised Credentials app to receive alerts when an employee's data and/or password has been compromised in a third-party data breach. Just one more way that Coalition works with its clients to not only insure risk, but proactively mitigate it.