ORAM's Complete Guide to Password and Passphrase Security in 2022

In the last five years, best practices for passwords have changed and that has been in direct response to changes in the methods cybercriminals are using to execute attacks and breaches. Malware was once the main way bad actors invaded systems but the focus has shifted to using weak, compromised, and stolen passwords (commonly called credentials). Passwords are now one of the greatest risks to any organization.

What this change means is that everyone needs to be hyper-vigilant when it comes to employing password and passphrase best practices. This hyper-vigilance needs to extend to every device you use from your personal mobile device and desktop at home to the devices you use at work. With so many people continuing to work remotely, using best password practices has become essential for protecting both personal and business data.

Best Practices Have Changed

According to the SANS Institute, it is very difficult for security personnel to detect an intruder if they have stolen valid credentials to access a system or network. Such a breach is known as “living off the land,” which means a hacker is utilizing the same tools and credentials as an authorized user. This makes it difficult for your IT people or third-party provider to determine what activities were legitimately performed by your employee versus what activity was conducted by the attacker. This is why credentials have now become one of the primary targets for bad actors and why stolen passwords are a top risk for all organizations.

Since passwords are now one of the primary targets of bad actors, especially those with advanced skills, one of the changes that have occurred is that password complexity has been replaced with password length, according to the National Institute of Standards and Technology (NIST).

“Password length has been found to be a primary factor,” according to the NIST. “Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords. Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or passphrases).”

Another change has been the discontinuation of password expiration. Password expiration is when a business or organization requires their employees to change their passwords after a given amount of time such as every 60 or 90 days. It used to be that the average computer took approximately 90 days to “crack” the average password hash. That’s what got the idea of password expiration started.

Today, the practice of password expiration is no longer relevant and could actually lead to increased risk exposure. How? By forcing employees to frequently change their passwords, they are going to do something simple like changing the “one” at the end of their password to a “two” so they can remember the new password. Or, with frequent password changes, the practice may lead them to write down their updated password on a sticky note, which is not good practice. The NIST recommends resetting passwords only if there is evidence of a compromise as frequent password changes are counter-productive since users typically end up setting weaker passwords which increases risk.

Additionally, if your company maintains a password history, it provides attackers not just one password hash to break but multiple password hashes to break. Maintaining password history exponentially increases the likelihood a cybercriminal will crack one of the passwords and gain access to your network.

With continuous changes in cybersecurity best practices to keep up with attack methods, it’s best for every organization to annually review its security policies and procedures. This will allow your company to make updates regularly to keep up with changes in attack vectors and shore up your business’s security policies and procedures.

Farewell Passwords & Hello Passphrases

The NIST recommends passwords contain at least eight characters and can be as long as 64 characters. This has prompted a move from passwords to passphrases as phrases tend to be longer. Passwords are usually one word with special characters and numerals included while passphrases tend to include a string of words with special characters and numerals. Basically, the NIST recommends the longer your passwords and passphrases, the better.

Teach your employees to use passphrases rather than passwords. This gets them thinking of longer, more complex credentials that make breaking them more complicated for would-be attackers. Passphrases can be sentences of random words that are easy for employees to remember and type. The NIST recommends skipping hints and knowledge-based security questions for access in lieu of a passphrase since many of the answers are easily available by just looking at someone’s social media platforms.

In training your workforce, be sure to explain the importance of each account, platform, and application having a completely unique passphrase. This is to ensure that if one account’s credentials are compromised, all of the victim’s other accounts will remain secure. Be sure to stay updated on the latest recommendations regarding passphrases by collaborating with a cybersecurity specialist who knows what’s happening in the current threat environment such as ORAM Corporate Advisors.

Tips for Creating Passphrases

The best way to protect your personal and business security is that you must become adept at setting strong, unique passphrases. Here are some tips for creating strong passphrases:

• Create passphrases with at least eight characters that include a combination of capital and lower-case letters, numbers, and special characters.
• Use a unique passphrase for each account, platform, and application. A password generator such as LastPass can generate strong, unique passphrases for you.
• Never use variations of old passwords as they are easy to break.

Ban Specific Words in Passphrases

The next step to stronger passphrases is to stop employees from using usernames and passphrases that contain certain words such as their full name. When it comes to creating passphrases, users should choose non-context-specific passwords.

The NIST recommends that businesses ban context-specific words such as the name of your business, service, the user’s name, and derivatives of the aforementioned in passphrases. The passphrase must not contain the user’s account name or parts of the user’s full name that exceed more than two consecutive characters.

For example, if an employee’s name is John Smith, they should not use “JohnS” or “JSmith” in their passphrase. The most you would want to allow is two characters together such as “JS” combined with other words, numbers, and characters in passphrases.

Passphrase Screening

When it comes to passphrase security, the NIST recommends cross-referencing passphrases against a dictionary of commonly used passwords and passphrases. One of the easiest ways hackers sneak into an organization is by guessing common passwords and using brute force attacks.

A password dictionary is a file that contains a list of passwords and passphrases that may have been or have been compromised. They are called dictionaries because they contain a list of thousands or even millions of individual passwords and passphrases. People tend to use plain English words and simple terms as passwords and passphrases with a standard variation such as a number 5 in place of the letter S or the number 1 or the letter I.

Checking employee-created passphrases against “dictionaries,” or databases and lists of passwords and passphrases obtained from previous breach reports, prevents end-users from selecting passphrases that have been compromised in previous attacks.

There are software programs with custom dictionaries that can block passphrases containing compromised or common passwords and passphrases to reduce the risk of a breach. Password dictionaries are great for businesses to use since attackers typically try combinations of passwords and passphrases that use elements related to the company or organization.

For example, end-users tend to use passphrases that incorporate the business name, products, and services provided by the company, or other easy-to-guess terms. Active Directory by Microsoft does have a way to use a password filter so you can create a custom password and passphrase dictionary for your organization. This will block passphrases created by your employees that use common terms, phrases, and formerly breached words. To help with building your list and implementing it correctly, ORAM recommends working with a third-party cybersecurity provider if you don’t have someone in-house that has experience in this arena.

Passphrase Complexity

The use of overly simple passphrases is one of the greatest avoidable risks for businesses but is also one of the easiest to address with proper training and adequate cybersecurity policies and procedures in place.

In an effort to find a simple solution to passphrases, end-users will often choose repetitive or sequential characters such as “1234” or “BBBB.” Train employees not to do this as it is simple for hackers to crack. Prohibit repetitive or incremental passphrases by your workforce.

Hammer home to staff members during training that simple passphrases make them and your company more susceptible to being attacked. Cybercriminals don’t care who their victims are. They just want to access personally identifiable information (PII), bank accounts, and business data that can land them a terrific payday.

According to the application MyGlue, more than 60 percent of data breaches are the result of weak or stolen credentials. Using more complex passwords that include uppercase and lowercase letters, numerals, and special characters that are different for every account is vital to protecting yourself and your business.

Password Managers

Consider a password manager as a vault that can store multiple passphrases in an encrypted database that can also produce new passphrases on demand. This means you and your staff won’t be tempted to use the same passphrase more than once and you won’t have to memorize them all or write them down.

A password manager can not only help your employees by generating complex passphrases that won’t be easily guessed by cybercriminals, but they also remember your unique passphrases for every account so you don’t have to. Remembering long, complex passphrases for every account can be overwhelming since some people have more than 100 different accounts they must log into.

Other benefits of password managers include improved business efficiency, reduced requests to IT for passphrase resets, and simplified shopping as payment information can be stored in your password manager. The NIST also recommends allowing the copy and paste functionality in password fields to facilitate the use of password managers and to allow the use of all printable ASCII characters as well as all UNICODE characters including emojis.

You can purchase service to a password manager for yourself and your business so every employee has access. Be sure to train them on the use of the password manager you purchase for your business and encourage every employee to use it. Remember, the easier you make it for your employees to follow a behavior, the more likely they will follow it. ORAM recommends MyGlue or LastPass as affordable options for business password managers. Note that any password manager worth its weight will employ multifactor authentication as well.

Most password managers offer a free trial period and typically range in cost from $12 annually to $50 a month. The cost depends on the number of devices and users the program is being used for. For added security, have an IT expert such as ORAM set up your password manager for you.

If your company’s cybersecurity policies and procedures prohibit the use of password managers, just know people are likely to write passphrases down or save them on a spreadsheet such as Google Docs, which increases your organization’s breach risk.

Passphrase Protect Everything

Make sure that all devices you use are password protected. This is also true for all of your employees. If you have a smartphone that is unlocked or you’re staying logged in to your email, you are asking to be hacked. Anyone that picks up a smartphone that’s unlocked has access to everything on the phone from photos to bank accounts. The same goes for your email account.

Train your employees to passphrase protect every device. Teach them that this extends beyond the workplace and they should implement this process for their personal devices at home as well as any their family members may have. This will not only protect them but can protect your business if they are working remotely.

Multi-Factor Authentication

While you’re addressing passphrase security, also look at adding multi-factor authentication (MFA) to all accounts, both personal and professional, whenever it’s available. If someone does happen to get your passphrase or that of an employee, they won’t be able to log into your account from a strange device. Any time someone logs into an account from a new device, they will need both the passphrase and a code that is sent to their smartphone, which should be password protected as previously mentioned.

The NIST recommends employing MFA but discourages the use of SMS notification as a means of authentication. Rather, the NIST suggests using a stronger process such as Google Authenticator due to the inherent risks involved with SMS. Consult with your IT team or third-party provider to determine if this is a feasible option for your company.

Increase Passphrase Attempts

Many organizations limit the number of attempts to log in to between three and five attempts. This gives your end-users very little room for error, which can frustrate them. Additionally, such limits tend to increase the number of help desk tickets submitted, thus, increasing those costs. Consider increasing the number of allowable passphrase attempts to 10.

Passphrase Policies for Business

A passphrase policy is the set requirements for passphrases outlined by a business in its cybersecurity policies and procedures. This includes requirements for complexity, length, and the ban of known terms and phrases that have been previously breached.

You may wish to consult with a third-party cybersecurity provider such as ORAM when determining which requirements need to be included in your company’s policies and procedures. Whatever you do include should aim for the goal of providing the best security for your business with the simplest deployment for ensuring end-user compliance. Another helpful resource is Spiceworks, a professional IT forum where experts provide advice related to passphrase policies.

Once you set your cybersecurity policies and procedures, they will need to be revisited annually, at a minimum, to ensure they include best practices for addressing the latest threats, compliance standards, and recommendations from IT experts.

Strong, secure passphrases are essential to reducing your risk, the risk of your employees, and the risk of your business. This is more important than ever given the number of devices people use and the fact so many people are working remotely. A resource for businesses is NIST Special Publication 800-63B Digital Identity Guidelines provides best practices related to authentication and password lifecycle management.

If you have questions related to best practices for passphrases or security to protect your business, contact ORAM Corporate Advisors online or call (617) 933-5060. Our team of IT and cybersecurity professionals are happy to help you with passphrases, password managers, training, and more to meet your business needs.