How to Protect Your Passwords

Missed part 1? Read "What You Should Know About Passwords" Missed part 2? Read "Why Passwords Are Dangerous"

Mad World – What we’d been taught about changing passwords periodically can actually turn out to hurt your organization.

The Old Switcheroo

A few years ago the National Institute of Standards and Technology (NIST) changed its advice for organizations about passwords. No longer did it advise organizations to require password changes, but instead offered this amendment in its Digital Identity Guidelines:

Users should not be told to change passwords according to a schedule, but only when a password is known to have been compromised.

Why do you think NIST made this change? Is it because a new, lengthy, random-character password is not an effective defense any more? Of course not.

The answer is the great evidence of poor password practices. People end up deceiving themselves that they are acting securely, but most times they’re just going through the motions and in fact, making things worse. And by worse, I mean that the sense of aggravation some feel about having to set a new password will make them even lousier at picking a decent password.

As shown in the previous article, people do not naturally think in terms of user names and passwords. People think in terms of likeness, voice, gesture – well, a million subtle human cues to distinguish one person from another. But passwords? They’re not part of our instinctive human vocabulary.

I Tell You I’ve Got Enough To Do

We’re also lazy. The Daily Coach shows that the brain looks for about any excuse to avoid the work we ask of it. I remember being told by a business editor: write the story like the intended media itself, because, editors are lazy. Nothing against editors. Editors are people too.

Most of the innovations in technology answer how can this be done faster (and even better, sometimes). And we turn to machines to communicate immediately or carry out some bother of a task.

Excuse Me for Being Human

Print the 11 Ways reference page

And so, the stats show we give the same very-human short shrift to passwords. Yet passwords persist all over computing. From Windows 11 startup to Apple IDs to Google accounts. And once inside your device – it is the rare piece of software that doesn’t require a password.

So this leaves a quandary: easy to remember means easy for anyone to guess. I wrote last week about why criminals want your employees’ passwords, including snooping for banking info and trying for better network privileges. So following is a
password-protection guide – also available
as a printable download:

11 Ways To Improve Password Practices

Passwords need to be unique to each account (i.e. the password at Microsoft is not the same as at Google – so one criminal breach doesn’t expose more than one account)
Passwords cannot be reused (i.e. don’t recycle no-longer-used passwords – those might have been breached)
Passwords cannot be made of letter/number/symbol substitutions (i.e. shell written as 5he!! – criminals’ software now guesses these substitutions fast; you won’t get away with that being your version of security)
Passwords cannot be based on user names or email addresses (too easy for software to guess)
Passwords are not considered new when a password is slightly changed (i.e. like adding a 1 or ! – criminals’ software again)
Passwords must be of a certain length (to keep ahead of password-cracking programs, 2024 advice is at least fifteen characters)
Passwords should be stored in either
- a strong-password-protected and encrypted digital way (like in a password manager) or
- in a secure physical way – like in a locked file cabinet
Password sharing is not a good idea – if necessary limit it to encrypted methods (like in an encrypted PDF)
Consider password manager software (like LastPass, BitWarden, 1Password, etc.) that creates and stores strong, complex passwords (some products allow admin oversight of employee passwords)
Check if your email address has been breached at haveibeenpwned.com or through dark web monitoring that can watch if any email address from your domain has been in a breach
Turn on multifactor authentication (MFA) whenever possible (MFA makes your employees confirm their identity in more than one way [like with both an email address and an authenticator app on a phone] to cut the risks of exposed passwords)

Online resources to help generate good passwords:

Steve Gibson’s password generator is at grc.com/passwords.htm
University of Illinois has a password-strength checker at uic.edu/apps/strong-password

Putting Passwords to Paper

If you’re not going to have employees use a password manager, and still want to have good passwords, how do you store them?

The first password breach (told about in Part 1) was from keeping a text file of passwords on the same computer system that used the passwords. It was not secure. This practice remains very vulnerable.

The paper method of password storage is good if the paper is kept out of sight and protected like any valuable document.

But 15-character or longer random-character passwords are hard to write down accurately.

More than ten years ago there was an XKCD comic that promoted using something like correct, horse, battery and staple to make what’s been called a pass-phrase: correcthorsebatterystaple. Because that scheme was published so long ago, criminals’ software can break it. So if you’re going to use paper, for better security modify the four random words to something like correct582horse%*batterySTAPLE (don’t really use these examples).

One More Thing

Here are a couple of final thoughts about password protection:

Passwords should be just one layer in a multi-layered defense strategy. So wherever you can, add MFA for an additional proof to verify an identity. The more secure forms of MFA are a physical USB key and an authenticator app on a phone that randomly generates codes every thirty seconds. Email- and text-based MFA codes are better than none, but can be more easily compromised.

Consider also a Single Sign-On solution for your organization in which an instance of MFA lets employees access what they need to do their work. No additional user name and password combinations are further asked of the Single Sign-On employee.

Last set limiting network policies and account permissions and privileges, so that the damage from a compromised password is contained. When you limit what’s accessible to employee X, if that employee’s account is compromised, everything outside that one employee’s reach is theoretically safe. Work with your IT department to properly configure these.

Get more New England-based technology and security information. Subscribe to Up Times by Bryley monthly newsletter.

Subscribe to Up Times by Bryley, the monthly tech newsletter for New Englanders by New Englanders.

Per-device features	Basic	Pro*
Response to network-critical issues	Within four hours. Same Day, as the situation requires	Within four hours. Same Day, as the situation requires
Response to non-critical issues	Within eight hours. Same Day, as the situation requires	Within eight hours. Same Day, as the situation requires
Performance optimization	Included	Included
Security optimization	Included	Included
Monitoring and alerts	Included	Included
File and patch updates	Included	Included
Reporting	Included	Included
Administration	Included	Included
Reliability optimization	Partial	Included
Software issues	Partial	Included
Hardware issues	Partial	Included
Network issues	Partial	Included
PC imaging		Included
On-site response		Included