Password Security.. is it still relevant? You bet.

Everyone talks about the important of having a secure password these days – but how important is it really?

Cybersecurity is a global issue these days with all organizations. Passwords tend to be one of those often overlooked facets. “Why have a secure password, the firewalls and antivirus will protect me.. right?” Well, it’s not that simple.

To understand the degree of risk an individual or organization takes by having a simple password – let’s first learn the steps an attacker might take to gain access to your information. Sometimes the attacker isn’t even after your password…

More and more phishing campaigns are now targeted – that is, the attacker has done research prior to contacting an individual. Did you know attackers will often scan organization websites, Facebook & LinkedIn accounts in order to extract information regarding that individuals job title, responsibilities & interests?

They can then use this to leverage a sophisticated phishing email against the individual.

Here’s a scenario:

Attacker views Employee A’s LinkedIn profile to determine they work at Ice Cream Corp as a Payroll Supervisor. They also learn through Facebook, they’re friends with Employee B, so the attacker has determined they’re close friends – they will use this knowledge to their advantage.

Attacker spoofs Employee B’s email address and emails Employee A to have their payroll information updated to a new bank number.

Because Employee A assumes it’s Employee B making the request – the change is made to the payroll information. Since these two are friends, an exception is made to validate any secondary form of identification. The attacker has now carried out a successful scam to steal sensitive payroll data from the organization.

Seems like a pretty legitimate request though, right? Wrong. Poor Employee B will be wondering why they didn’t get paid at the next payroll.

This is more of a common practice than you would think – attackers will often profile their victim to learn as much as they can – what their position is, their department, their friends, etc. This helps to strengthen their chances of success by leveraging this in their favor.

Back to passwords.

A very common practice is brute forcing. This is an extremely common technique attackers use to break a password. Did you know the majority of individuals use the same password at work for sensitive accounts as they do for personal ones? Attackers know this and will use this to their advantage – often hacking all of an individual’s accounts in a very short time.

By the way, a brute force can attempt up to 15 million password attempts per second. If you think your password is secure, think again.

With such sophisticated techniques and malicious behavior at play, what can we do to prevent unauthorized information from leaking from an organizations?

Create a strong password
This probably seems obvious by now, but what exactly constitutes as a secure password?

To narrow that down, lets first understand how long it takes an attacker to brute force a password based on the following complexity & character lengths:

length: 4, complexity: a-z ==> less than 1 second

length: 4, complexity: a-zA-Z0-9 + symbols ==> 4.8 seconds

length: 5, complexity: a-zA-Z ==> 25 seconds

length: 6, complexity: a-zA-Z0-9 ==> 1 hour

length: 6, complexity: a-zA-Z0-9 + symbols ==> 11 hours

length: 7, complexity: a-zA-Z0-9 + symbols ==> 6 weeks

length: 8, complexity: a-zA-Z0-9 ==> 5 months

length: 8, complexity: a-zA-Z0-9 + symbols ==> 10 years

length: 9, complexity: a-zA-Z0-9 + symbols ==> 1000 years

length: 10, complexity: a-zA-Z0-9 ==> 1700 years

length: 10, complexity: a-zA-Z0-9 + symbols ==> 91800 years

For best password security, anything less than 10 characters is considered less than optimal. 10 or more characters including upper/lower case letters, numbers & symbols is preferred.

For full Password Best Practices – see Ministry of Education guide online here.

Adopting a Defensible Security Mindset

In today’s rapidly changing Cyber Security landscape, Cyber threats are at an all-time high. Defensible Security is about adopting not only a culture around security & privacy awareness, but actively working to prevent the majority of threats. No organization is immune to Cyber Attacks – adopting good Cyber Security hygiene will assist in mitigating the risk of today’s digital landscape.

While a true Defensible Security model is a organization wide effort, being aware of good practices will enable and empower all members of an organization to contribute to the security and safety of sensitive data. Image borrowed from the Ministry of Education Def Security website.

Here are some resources to assist in awareness & prevention of common phishing, phone & fraud scams.

Avoiding Telephone Scams
Phishing for SPAM – techniques to detect and avoid fraudulent emails
Ransomware awareness

For a full list of resources, see the Ministry of Education Security Awareness page.