Raising awareness quickly: A look at basic password hygiene

Rapid7's tips for strengthening your first line of defense

Continuing a running series for National Cyber Security Awareness Month, Rapid7 has released another easily emailed awareness note. This time the topic is passwords, something that can either make or break a person's overall level of security.

[Raising awareness quickly: A brief overview on phishing]

Passwords are often seen as a lackluster method of protection, and in many cases this is true if passwords are the only line of defense. This is why two-factor authentication is such a big deal in the security world.

However, love them or hate them, passwords are the initial line of defense in our daily lives. But that crossover leaves people stuck attempting to remember several passwords and manage them properly, something that usually means that they'll create an easily remembered and crackable password once and use it everywhere.

"While security professionals can enforce policy on a password's length, expiration and use of character types, only educated users can create truly strong passwords that they will remember and avoid using elsewhere."

With that said, what follows is an easily copied primer on passwords, which can be emailed to your entire organization.

Why are passwords important?

Having a password is the most basic level of protection you can have for the information you are storing in services or applications, be it your personal Facebook account, your online banking site, or your company's customer tracking system. The problem is that everything is online now, and everything needs a password. So it's tempting to make your password simple and easy to remember. Perhaps you have a go-to password you've used for everything since college. Or maybe you write your password down so you don't forget it.

If you do any of those things, you're probably in the majority, not the minority. Creating long, complex passwords that are unique for every service you use is a challenge, and remembering them all is near impossible. The problem is that simple, easy to remember passwords are also easy to "crack." That's probably why a major study found that 76% of network intrusions (aka breaches) in 2012 involved weak or stolen passwords.

[Raising awareness quickly: Explaining BYOD and mitigating mobile risks]

Once attackers have your password, they have access to your account and any information stored in it. From there, they may be able to do all sorts of things, and what was intended as a form of protection could become a threat in itself. For example, if you use the same password across multiple sites, once an attacker has compromised your information on an unimportant one, they can turn around and use it on a site you do care about.

Or say you use different passwords, but the same security questions. They could find the information for your security questions and then set up a fake "change password" request using your information and actually lock you out of an important account.

Bottom line: passwords are an important security measure for every aspect of your life, including work.

How can you protect yourself?

There are a number of things you can do to reduce your risk and increase the protection offered by passwords.

Make passwords long and complex. Try to make your password more than 12 characters long and use at least one lower case character, one upper case character, one number, and one special character. Shamefully, not all sites have enabled this yet, so it may not always be possible, but do it where you can. Try stringing unconnected words together and mixing up the letters, numbers and special characters to make them extra hard to guess.

Don't reuse passwords. It is very difficult to remember unique passwords across everything. You can tackle this by using a service like KeePass and LastPass, which securely stores your passwords. All you need to remember is the password for your KeePass account! If you do reuse passwords across sites, be vigilant for any suspicious activity and at the first sign of trouble, change the password on any other sites where it was used.

[Simple passwords rule the day in mobile world]

Regularly change your password. Passwords should be changed every 8-12 weeks. Yes it's a hassle, but if an attacker has gained access without you knowing, it stops them from being able to keep coming back over and over again.

Two-factor authentication. Where possible, favor services that offer two-factor authentication and enable it. The way this typically works is that it combines something you know (your password) with something you have (e.g. a generated code sent to your phone) to provide a double layer of protection.

Never use a default password. Many devices and applications come with default passwords set up. You need to change these as soon as possible during your set up process. Using a default password is the same as using no password at all.

Join the CSO newsletter!

Error: Please check your email address.

Tags Rapid7securityAccess control and authentication

More about FacebookRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place