Data breaches are a dime a dozen these days. But when hackers steal databases full of customer info, login names, and passwords, the passwords themselves aren’t usually sitting out in plain sight. Typically, the passwords will be cryptographically hashed.
Hashing a password takes a string of any length (the password in this example) and produces a fixed-length hash value. Password cracking tools can be used to try and guess the password that converts into these hashes. This leads to a need for strong passwords to make the guessing process time-consuming and hopefully infeasible.
I asked a friend, IT security expert Josh Kaldor, about what makes a good password, and he had quite a lot to say on the subject. Josh did research, creating hashes using various combinations of passwords with different attributes, then cracked them and compared the results against a benchmark. Here are some of his conclusions:
Common methods used to create “strong” passwords
Phrases are a great way to meet password requirement length and complexity requirements.
A common problem here is that users will be apt to choose non-random (guessable/relatable) phrases or pop-culture references such as ‘TheHungerGames1’ which are subject to obvious dictionary attacks. The words have to be non-relational.
Using acronyms to create a password is a handy way to hamper Dictionary Attacks on your password and create a password that is hard to remember for the person who doesn’t know the acronym behind it.
The issue here is that it’s hard to create a long string, and if a user adds digits to the end, it is incredibly weak (as crackers assume digits or modifiers at the start or end). Make these passwords stronger by combining them with a phrase.
Like the acronym method, a pattern method is great for creating a seemingly illogical string that is hard to remember and will foil Dictionary Attacks. The issue in this case is people’s tendency to use similar patterns (like QWERTY), which in turn play right into the Dictionary Attack’s hands.
Considerations for the Auditor
PCI-DSS requirements for a strong password include the password being at least seven characters long and including uppercase, lowercase, numerical, special characters, and more. Other compliance standards require very similar sets of attributes.
As an auditor, you should go above and beyond by providing recommendations like educating end users on what makes a strong password, identifying common characteristics of weak passwords, and ensuring other strong preventative controls are in place. Controls might include:
- Checking for the adoption of a Clean Desk Policy and adherence to it.
- Checking for passwords being passed in support tickets or emails.
- Verify that new users are required to change passwords when they first log in.
- Verifying that passwords are not stored unencrypted within databases.
- Verifying that even internal systems (such as ticketing and help desk systems) utilize encrypted communications since users on the network could be packet sniffing and capture passwords that might be passed in plain text.
My IT Security guru friend Josh hopes the industry will push for further adoption of two-factor options such as OTP keys.
For more information on password cracking, check out this amazing article! A special thank you to my friend, Josh Kaldor, for sharing his insight with us for this post!