How to Strengthen and Manage Passwords

By Eric Noonan • December 12, 2017

In today’s world strong, unique passwords are a necessity. Whether it is a domain administrator password for an organization or a personal online banking account, it is crucial to safeguard information by having a robust password making access to any account or system less easy.

The Old Standard for a Secure Password is No Longer Sufficient

In a recent interview, Bill Burr shared that he regrets some of the recommendations he made back in 2003 regarding what makes a good password. In retrospect, he surmised, humans generally have difficulty generating strong passwords.

As a refresher, Mr. Burr wrote NIST Special Publication 800-62, Appendix A in 2003. This document essentially defined a strong password as a mix of upper and lowercase letters, numbers, and special characters. These days, a password needs other attributes to be considered strong.

What Not To Do

It’s is rather mind-boggling that some folks use the most simplistic passwords for business and personal use. Even in this era of security breaches and data loss, common – and incredibly weak – passwords include “password”, “12345678”, and “qwerty” (http://www.computerworld.com/article/3024404/security/worst-most-common-passwords-for-the-last-5-years.html)

Why does this happen? According to the 2017 version of the NIST Special Publication 800-62, “Research has shown … that users respond in very predictable ways to the requirements imposed by [password] composition rules” (NIST, 2017).

Bottom line: People can and should do better at creating and managing passwords.

What To Do

Two solutions can help you and your organization support better password creation and management. They are:

  • Two-Factor Authentication (2FA) – 2FA it is based on using something a user has and something a user knows to authenticate him or her. A perfect example of 2FA is an ATM. To get money out, a user must insert his ATM card (something he has) and enter a PIN (something he knows). While 2FA used to only be applicable to organizations, many online services such as Gmail, Facebook, and Amazon now allow a user to enable 2FA to further secure access to his or her personal accounts. The website https://www.turnon2fa.com/ provides easy-to-follow tutorials on how to enable 2FA on these services.
  • Password Manager – A password manager such as the opensource Keepass (http://keepass.info/) or the enterprise-level CyberArk privileged account management (PAM) solution provides a cryptographically secure repository and the ability to generate passwords that are both random, complex, and long. (Having your web browser remember your password is not a password manager). A password manager delivers a mechanism to securely store and generate strong passwords so that a user does not have to remember them. In the case of CyberArk, there are also many other features, such as automatic password rotation, privilege session monitoring, and integration with applications for App to App account management.

CyberSheath specializes in the deployment and customization of CyberArk’s PAM solution to fit each customer’s specific use case – and we can help you build the solution that meets your organization’s unique needs. Contact us today for your free assessment.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security