Username & Password Management
It should really be common sense when thinking about your username & password management process, but people need to avoid using usernames & passwords that are easy for hackers to guess.
This might sound like a difficult proposition, but it is a fairly simple exercise especially when you understand common practices that hackers use to try and “guess” your password.
Low Security Account Credentials
Among the top ten worst passwords according to www.splashdata.com are those that use a series of numbers in numerical order, such as . The names of popular sports such as and are also on the list as are quirky passwords such as and even the word itself.
Emphasis should also be placed on the importance of avoiding common usernames. In analysis conducted by the information security firm Rapid7, hackers most often prey upon these 10 usernames in particular:
How Attackers Exploit Weak Passwords to Obtain Access
While most websites don’t store actual username passwords, they do store a password hash for each username. A password hash is a form of encryption, but cybercriminals can sometimes use the password hash to reverse engineer the password. When passwords are weak, it’s easier to break the password hash.
Here is a list of common word mutations hackers use to identify passwords if they feel they already have a general idea of what the password might be:
- Capitalizing the first letter of a word
- Checking all combinations of upper/lowercase for words
- Inserting a number randomly in the word
- Placing numbers at the beginning and the end of words
- Putting the same pattern at both ends, such as
- Replacing letters like and with numbers like and
- Punctuating the ends of words, such as adding an exclamation mark <!>
- Duplicating the first letter or all the letters in a word
- Combining two words together
- Adding punctuation or spaces between the words
- Inserting <@> in place of
This is why it is important to educate all users of these tactics and underscores the importance of creating long passwords (at least 12 characters) and applying multiple deviations, rather than just capitalizing the first letter.
17 Tips to Strengthen Password Security
- Change passwords at least every three months for non-administrative users and 45-60 days for admin accounts.
- Use different passwords for each login credential.
- Avoid reusing an old password for at least a year.
- Be sure no one watches you enter in your password
- Don’t tell anyone your password
- Always log-off or lock your computer when you walk away from your desk.
- Avoid generic accounts and shared passwords.
- Conduct audits periodically to identify weak/duplicate passwords and change as necessary.
- Pick challenging passwords that include a combination of letters (upper and lower case), numbers and special characters (e.g. <$>, <%> and <&>).
- Avoid personal information such as birth dates, pet names and sports.
- Use passwords or passphrases of 12+ characters.
- Use a Password Manager such as LastPass where users need just one master password (though obviously this master password needs to be highly complex as well)
- Don’t use a browser’s auto-fill function for passwords.
- Use comprehensive and up to date security software to avoid malware and keyloggers.
- Don’t write your passwords down on sticky notes and leave them on your desk or computer screen.
- Avoid entering passwords when using unsecured Wi-Fi connections at the airport or coffee shops.
- Avoid entering passwords on computers you don’t control i.e. computers at an Internet café or library which may not have security in place or contain malware that can steal your passwords.
An advanced and under-used password security tip to consider is two-factor authentication, which is a way for websites to double confirm an end user’s identity. After the end user successfully logs in, they receive a text message with a passcode to then input in order to authenticate their ID.
This approach makes sure that end users not only know their passwords but also have access to their own phone. Two-factor authentication works well because cybercriminals rarely steal an end user’s password and phone at the same time. Leading banks and financial institutions enable two-factor authentication by default, but if not, the service can often be turned on by asking the website to do so. More and more non-financial websites are now offering two-factor authentication as well.
Stay tuned for next week’s’ chapter on Mobile Security