Murdoch Announcements & Events

  • Login

Selecting and Managing Passwords- Password Security

Published: 19th October 2020

The internet has taken over the world and passwords are the key to almost everything you do over the internet.

PC_300x420

An online survey from Sans says that an internet user on average uses at least three passwords throughout the day.  If an individual's or organization's password is compromised, it opens the door for an attacker to access everything that uses that password. A compromised password also gives the attacker a way to impersonate the victim and gain access to other resources including sensitive and confidential information.

Some of the common Do’s and Don’ts for personal password security that will keep your access to computers and its resources more secure include:

Complexity while constructing a password

When creating passwords, industry research from Gartner suggests the longer the password the better. Try to make the password as lengthier as possible and add complexity by using at least one upper case and lower-case character, one number, and one special symbol. Nowadays, most organizations are using passphrases instead of passwords. Passphrase involves combining multiple words into a long string. A good passphrase should range somewhere from 20-30 characters in length. The idea behind this is that a longer password, even if relying on simpler words and no special characters, will take longer for a hacker to crack using automatic password cracking software and requires more computational resources and time.

Examples: Greentable$harkcrumbl|ng, Tom2yrrej@Z8*# and time is the best manager on the planet can be written as “T1m!sth3b3sTm@nager0nthePl@net” which is easier to remember and hard to crack for an attacker.

Sharing of passwords

It is a common but dangerous practice to share passwords with family and colleagues. While some sharing of accounts can be tolerated for practicalities sake, it should be only for non-critical systems and applications. These are known as ‘generic accounts’, as they do not belong to specific individuals and must be approved by IT Security prior to use.   Generic accounts introduce a lack of accountability, because you cannot attribute actions on a computer or an application to an individual.  In addition, once a password is shared, it is often shared again and again with no way of tracking how many people know the password.

Reuse of passwords

It’s always difficult to remember unique passwords for every application and system you interact with daily. This can be overcome by using Password Managers where you can store all your passwords securely. All you need to do is create a master passphrase for the account manager that conforms to the advice above. Some free password managers available online are:

  • LastPass: https://www.lastpass.com/
  • KeePass: https://keepass.info/
  • Keeper: https://www.keepersecurity.com/en_GB/
  • Password Safe: https://pwsafe.org/
  • Dash lane: https://www.dashlane.com/

Changing passwords regularly

Passwords should be changed at regular intervals. According to the criticality of accounts the passwords should be changed at least once in 3 months for all critical accounts (Master password for Password manager, Microsoft exchange and banking passwords) and at least once in 6 months for all non-critical accounts. It might be a daunting task, but if an attacker has gained access without you knowing, it stops them from being able to keep coming back repeatedly. Password managers can help you manage this process.

Multi-factor authentication

Even the best passwords can be cracked using various password cracking techniques. Multi-Factor Authentication adds another layer of security to your accounts in addition to your username and password comprising of something you have. Generally, this is a software or hardware token or a mobile phone app that requires you to confirm that you really are trying to log in to a website, application or system.

Phishing to obtain passwords

No one should ever ask a user to disclose their password through phone, message or email. If someone asks for a password directly or sends you an email with a link to a password login page, always assume they are an attacker and ignore or block the requester in the future.