Tech-IT-Out: Password Security - How to create strong password policies in 2023

Show Notes

In this episode of Krome Cast Tech IT Out, released on World Password Day 2023, we discuss password security best practices and share our tips on password policies and good password hygiene.

A single weak password can be all it takes for a hacker to gain access to sensitive information, putting your business, and clients at risk.

This episode features Krome’s Commercial Director Sam Mager, and Technical Director Ben Randall, sharing their tips on how to review and manage your company’s password policies and make sure your employees are aware of the importance of using strong, unique passwords for all accounts.

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/

► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/

► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk

Transcript

0:00

Welcome, to Krome Cast, Tech IT Out. I'm Sam Mager, Commercial Director for Krome Technologies, and I'm joined once again, by Ben Randall, Technical Director. Hi, Sam. So today, May the 4th, World Password Day. Yes, indeed. Interesting topic, but let's I guess, if you can give us the three things we're gonna cover today. Yeah, sure. So firstly, we're just gonna go over what is World Password Day, where it came from. Then we're going to look at good password practices. And you know what you should do around that. And then perhaps just touch on how you know what you can do beyond just passwords for security. Okay, so let's dive into it. Let's go into, excuse me. What is World Password Day? Where did it come Yeah, sure. So Intel actually started World from? Password Day off, it appears to be the first Thursday in May. So this is an exception the fact that it's Fourth of May, it's just a coincidence with Star Wars. And it's also perpetuated a little bit more by the NCSC National Cybersecurity Centre in the UK. And the importance of having good password hygiene, how you know, how that can, is important for everyone, not just IT professionals, you know, literally wherever you have a password, your bank, that sort of thing. Of coure, yeah. So just try and raise that awareness of don't use, as many people still do, things like 123456. And very basic passwords. Yeah exactly, this kind of brings us into the into the whole, the whole point of it, the good password practices. And this is what the you know, World Password Day was made to raise awareness, it was meant to be NCSC came up with the three random words. And that's easy to remember, it tells you what to do. And, you know, the we can go into the detail on why why that exists. And why that advice is out there, under under sort of the good password practices if you like. Yeah. I mean, it's interesting. We've had discussions offline, and with customers and so on. It's still interesting. Sometimes that you still see poor password management, or you speak to someone who, oh, yeah, as, as we may have heard today, you have a password for your everything. And you think it's such a risk? Right? Yeah, exactly. This is this is the challenge. It's, let's face it, it's very easy. If you've got your your, your, your password, you remember, and you use everywhere. Yeah. And the challenge there, it's, it's it's poor hygiene, password hygiene, if if that passwords, great. If that's stored, if you use it everywhere, you think your bank, your social media, your you know, wherever, if that gets breached in one of those locations, and it's the based on your identity is based on your email address, typically, and or your name, something like that. And that password. That means, in all those other places that account has been breached. Yeah. So, and you said that's, if that's your bank, you know that banks tend to have actually introduced MFA and so on. So it's getting better now. But there's a lot of risk there that you've you've literally opened up and this is why you see these sites like, have I been pwned? And so on where they you can put in your ID and you can see if if that's been that that email address has been leaked in the in one of these breaches. Because obviously, you know, if that's happened, you've basically been breached in all sorts of places. Well like you say, It's one it's all. Yes, exactly. If you've if you follow that, so, so really, that the bottom line is, you need to be using a different password for every login, for different places. Obviously, your username is effectively going to be the same. Yes. So the one thing you can change is your password. It's your email these days, typically, right? Yeah, it's the easiest way. But the management, the the bit that, I think the statistic that was thrown around this morning that 53% of people manage their passwords, just simply in their mind. And if you've got banking, social media, work, play, all this sort of stuff, you'll have a lot of passwords. So that's why people fall into the trap again, and Yeah. I'll just have a, albeit maybe a good password. Yep. But if it's being attacked from all these different places, someone could eventually crack it, and then you've done everything. So I guess, under the password management bit, some of the what do we advise for the, for the person who's trying to do that? What should you do instead? Yeah, well, Password Manager is the obvious answer, because I don't, I'm not sure how many logins I've got in various sites, it must be it's dozens, possibly hundreds, you know, and I'm not going to remember all those if they're all different. So basically, you need a password manager. There's all sorts of password managers out there. A lot of them are free, you know, for the for the sort of the average user, obviously for an enterprise, there are paid solutions where you can do the whole company. Yeah, And and you can there's a lot of useful features in that with with sharing passwords without people actually knowing them as well, so that that information is hidden but enables the logon to secure sites and so on. So a password manager because obviously that doesn't forget what your password is you're not relying on your brain, on only your brain to remember it. I should never rely on my brain for anything. No. And also that gives the opportunity to remember a much longer password, I say remember, to have a much longer password. Because you know, traditionally you've got the really short passwords. 12345678, which, and I believe the average password length is still eight characters that people use. Which is crazy. Which is extremely easy to break. I don't know if you know of the top of your head but the amount of time an average computer can crack through an eight character password is something, It's just seconds. Yeah, it's not a lot of time is it, but I know, it gets exponentially, and I don't, but you might know, but exponentially more difficult as we add characters. Yes. Yeah, absolutely. Absolutely. It's like millions or trillions of times more isnt it? Yeah, I believe, you know, the difference between a 6 and a 12. character password is something the ratio of 62 trillion times harder? Wow, that's quite a lot then. It's in the region that, someone's going to get their calculator out and work out, prove me wrong, but Shoes your socks off, and whatnot. But, Yeah, As an order of magnitude, that's vast, by just having the effort to put in some extra characters. But going back to the three random words thing, isn't it? You know, you can sit your desk and go oh it's "window chair person" something. Randomness Yeah, exactly. I mean, that's, that's not perfect. But what that does is it makes the password Complexities and some special characters or longer. Yes, those three words are much longer than almost any single word on its own. They don't have what you know, if you're gonna get strict about it, they don't have a great deal of entropy, because they're three known words. So an advanced dictionary search, could perhaps, it's assuming there aren't any funny characters in there. But as soon as you start adding capitalisation or some other something into that, it gets really hard to break those. So, you know, rolling that together, just just the three random words is a good start. Yeah, that really is. Providing that's over, what's our recommended minimum character to a password nowadays in 12, or? Yeah so 12 or more, really, I mean, it's certainly, when I'm making recommendations, I go further than that now. But it because it's still, because once you've got people in the habit of using a longer password, it's not that hard to add a couple more, you know, No, this also, I guess, just touch on habits of, and I know we used to have it many years ago, it was here every quarter, it would, you need to change your password. But that gets into, again, it's people remembering and whatnot. And I know that's not our policy, or the policy we recommend now. Yeah, exactly. I mean, NCSC, again, recommend against having that because it makes people tend to do things like have shorter passwords, because it's easier to remember or something that's based on their birthday. Or the old post it note on the laptop. Exactly the post it note under the keyboard. Yeah, so and that sort of thing just defeats the whole purpose of it. So really you want to have people together, so get really good password, if it's their main login sort of thing. And then they can remember that. And, you know, that just really helps with, yeah. I guess, what other tips do you have around that sort of thing? I know, there's some clever stuff you can do, with Azure and in then e-controls and so on, to actually limit Exactly I mean, that brings us on to effectively, what we're talking about is going beyond just the password. So if you imagine you've got an Excel spreadsheet that has, you want to keep it secure, so you put a password on it, then obviously, if that password gets discovered, then it's just a single password against that spreadsheet. But you can use the feature in there to actually base it on your logins. So you could lock down so only, only myself and these other users are allowed to open it. And then you're using the.. Certain groups and so on then? Yeah, exactly. You could lock it down like that. So only these people are able to open it. And their passwords, obviously, I don't know what they are. Yeah. And also, I could take them out of it, I don't want to open that up any more for whatever reason, whether sort of the JNL process, you can take them out. And also you can leverage the other features of Azure. So not only as a password, because multi-factor authentication, which is automatically done that, which excel on its own doesn't really support, but you're leveraging that that feature. Yeah. And we also talked for, excuse me, the importance of multi-factor authentication. It seems second nature, I know to all of us, obviously, but I just, yeah I think it's madness, not to have it now, but we still see that people haven't necessarily, and you get the pushback that it's, oh it's another step, or it's inconvenient. It's like not as inconvenient as losing everything. Yeah, I mean, exactly. I mean, we've had clients who have had near misses on breaches and literally saying, Look, you need to be switching on multi-factor authentication for this important person, this whale now, that's just been phished. And, you know, the pushback is oh, it's he doesn't like to do it, it's expensive, like, well, not as expensive as the breach that you just narrowly, narrowly avoided. You know, and, you know, really once you got in the habit of it, it's not very hard. Let's face it with your with your bank, you have happily accept that because if your money got stolen, and it's just the same thing. Just making it, it's thinking of that in the same way as, let's be honest, multi-factor authentication, depending on what sort of device you use is, well it's as difficult as, a thumbprint potentially or or putting in a number. It doesn't slow you down, does it? Really? Yeah, exactly. I mean, we're moving beyond the basic, like just prompt, because that can be a little bit vulnerable in some ways, where you keep getting prompted to just acknowledge that and let someone in, but actually got the number matching, or entering a rolling code. And that's is really good. Even if you've got a password that has been breached. You've you've just got that extra layer of security. Absolutely, just think we should probably cover up very quickly before we end. The, and we're seeing it now people doing these forced attacks, obviously the authenticator, just going Bing, bing, bing, bing, bing, don't be tempted to go, Oh, please stop beeping, pay attention to that. Absolutely. Absolutely. And yeah, I mean, that that kind of thing. Also, perhaps auditing your, your, you know, as a company you can do checks on, you take a download of the password database, and you can run checks against that, that's something that we do, and we can do a kind of a brute force attack on those password hashes. And the easy stuff will get, will get unlocked the difficult passwords, we probably won't be able to work out what they are, but that's fine. But the ones that we can then we go back to those users and say like you need to up your game on the password. Absolutely. It's a bit of user training. As always, the right tools, the right technology, the right training and practices, etc. Yeah, exactly. Perfect. Thank you, Ben. Interesting, as always. Alright. Thank you, Sam. And thanks for joining us again on Tech IT Out. Do like, subscribe and share and if there's anything you'd likes to talk about in future episodes, please leave in the comment section below. Thank you.