Most users will create a password using a single word, and then add a number to it each time they are required to change the password.
Yes, they can add an upper case character and a non-alphanumeric if required, but the other elements remain the same.
Unless the organisation is running single sign on where the user only needs one password across the organisation, each system will require it’s own password.
It is more than likely that a user will use the same password for everything as it makes it easier for them to remember.
Having insecure passwords being used across all systems creates a single point of failure – the password itself.
If the password is not sufficiently complex, it will not take long for a brute force attack to determine what the password is.
If this password is also used on the internet and one website is compromised, the entire password, and all systems the password is used on, are also compromised.
There is also a law of diminishing returns here too – the more complex we make it for the user by enforcing more stringent passwords, the more difficult we make it for the user to manage their passwords.
Some users will write them down in a notebook, or will store them in an Excel spreadsheet on their computer – whilst this is better than having a single password, it is not secure as this data is not encrypted and is only stored on one device.
Technical Tools and Measures
Password Management Tools
There are a number of password management utilities available that assist in managing passwords, I am going to focus on one commercial application called 1Password, as this is the application I use on a daily basis, other applications such as Keepass and LastPass also perform similar functions.
1Password creates a single encrypted “vault” which contains all of a user’s passwords.
It allows the user to set one secure, complex password that they can remember to open the vault.
The application will then allow the user to manage their passwords, by generating random, complex passwords for them for each website, ensuring that each site password is unique.
Once setup and in use, there is a plug-in for each web-browser, meaning that the user simply needs to login to the vault with their memorised password, and they can then automatically enter the username and password from 1Password into their chosen web site.
The user can also copy the user name and password and paste it into the logon box on no web-based applications.
The data file containing the passwords is encrypted locally on the user’s workstation, and can also be synchronised using a cloud storage service to smartphones, tablets and other computers that the user may own.
Whilst it is still possible that the 1Password vault could be cracked by an attacker trying to gain access to a user’s password data, this is still much more secure than a single password for everything.
Some password management applications now support sharing, such as within a team or family group to people to share passwords.
System Auditing and Policy
Auditing failed logon attempts, locking out users after a predetermined number of failed attempts, and only forcing users to change passwords when someone believes them to be compromised, are also good practice measures to increase the security of passwords.
Training users on how to create a secure password that they can remember, that isn’t based on their pet name, part of their date of birth or their house number is also useful.
Training them on how to easily remember their password, and not share it with others can dramatically increase security.
Use of Diceware passwords
Diceware passwords were originally generated by rolling a number of six-sided dice to generate a unique numerical password that could be remembered.
In recent times, this technique has also been used to generate a password using several non-related words that a user can remember in a sequence, for example “advocacy extend disjoint vial inviting”.
This tyep of password is much harder for a brute force attack, as there is no sequence or mathematical relationship between the words, but it would be easier for a user to remember than Adv0cacy1 for example.
The UK National Cyber Security Centre have also published a useful infographic here on how to simplify the approach to password guidance, whilst ensuring security.
How do you manage your passwords? Let me know in the comments below.