The Problem

The problem with passwords is that they are guessable. We in the industry have long tried to make it harder for attackers to steal the passwords of users, much to the detriment of the users. By increasing the requirements the user is forced to use tricks to have a chance to remember their passwords. This could be password reuse, writing the password down on the desk, or using some (guessable) personal information. All these are detrimental to the security of the account.

So what can we do. Lets break down some recommendation and risks:

Password Length and Complexity

Every time you create a new account online, you are asked to create a new password. Usually there are a password length requirements, as well as requirements to use at least three of upper case, lower case, numbers and special characters. But how much does this affect the security of the password?

XKCD has a nice comic about this, highlighting that a random string do not add as much security as it gives headache to the user. A better approach would be to use four random words as a password, or even a passphrase. This would increase the security, while minimizing the difficulty to remember the password.

Password Rotations

For a while it was recommended to force password rotations to ensure that even if the password was stolen, it had a limited lifespan. However, this makes it even more difficult for the users to remember their passwords, meaning that the passwords in use gets worse.

Of course you will need to change your password if it gets leaked or stolen, but until then it is better to have a good password and keep that. A good long and unique password will keep your login secure, without needing frequent change.

Two Factor Authentication

The best way to mitigate the risks with passwords is to not fully trusting them. By requiring a second factor for authentication the security skyrockets. My recommendation is to use a two factor authentication app (such as Google Authenticator) for all services that allows it. This will make it a bit more tedious to sign in, but it will 100 % be worth it if it saves you from being hacked.

There are a couple of different ways two factor apps can be used. The most common is that the app generates a rotating 6 digit code, that you enter as a second password. The service can then validate that you have the same app that you used when creating the account. Another alternative is that when you sign in you get a number, this number you enter into your app to validate that you are the one trying to sign in.

The main thing with two factor authentication is to only approve sign-ins that you have initiated. Never give your two factor code to someone calling you, or enter it on an untrusted website.

Password Managers and Login with other Services

Due to the sheer number of accounts we all need to use regularly makes it almost impossible to remember all passwords. Therefore there are two alternative ways to minimise the number of passwords you need to remember.

First of we got password managers. This is a software that helps you create and remember good and unique passwords. By storing the passwords, and syncing them between devices it allows you to just remember a single password. Sure there is a small risk with putting all information into a software, but compared to the risk of using bad passwords, it is manageable. However, you could remember a couple of your most important passwords (i.e. your bank login) ensuring that it will not be compromised if your password manager gets compromised.

An alternative is to use “Log in with XXX”. This feature means that instead of creating a new login, your account gets linked to another service (such as Google or Facebook) and that is used to sign in. This also lets you not remember your password. However, this comes with at a cost, your privacy. Whenever you sign in with another service, that service knows that you signed in. If that is something you are OK with, you are good to continue using the feature, otherwise, you will have to look for other ways forward.

Passwordless Authentication

There is a new way of signing in begining to gain popularity, Passwordless sign in. The tech behind this way of signing in is quite interesting, and might be a topic for a future blogpost. However, there are few sites where it is implemented so I will just leave this as a tease.

Summary

So there are many risks with passwords, and it is difficult to keep up whenever the best practices changes. At the point of writing, I would give two recommendations.

1. Everyone should use Two Factor Authentication. It is the best way to secure your accounts, and should be the bare minimum for important accounts.
2. For those who want to take an extra step, and improve their security posture, a trusted password manager is a great investment. It might take some time, but when you do not have to remember your passwords any more you will thank me. I you want to learn more about password managers I have heard good things about both Bitwarden and 1Password.

Stay secure out there!

Note: Any specific examples in this post are fictional, but the concepts are quite common from looking around and talking to businesses.

Separate Guests and Internal Users

To minimise the exposure of the systems the business require to operate and therefore also minimize the risk it is important to reduce the number of people whom have access to the network. The main thing here is to keep any visitors (or customers) from accessing the same network as the internal systems (fileservers, cash registers etc.). A common solution for this is to have two separate networks, a guest network and a company network. For larger companies this separation might need to be taken even further, but this is a great first step.

The main goal with separation is to implement what is commonly called Defence in Depth. This means that if one of the security measures would fail, all would not be lost. Instead there would be another defence that would hinder the attack. By restricting what an attacker can access, the risk that they can exploit a vulnerability decrease as well.

Secure the Internal Network

No matter how well separated the internal network (and its users) are from the external users it has no effect if there are ways to circumvent the separation. For example if in a café a customer can plug into the access-point and access the internal network. Another perhaps more common error is to have an easily guessable password for the internal network. If the WiFi name is used as password, it is the same as if there was no password at all. An attacker would swiftly test different passwords, and the name of the network would absolutely be one of the first ones.

Change Default Settings

After taking a look at the network as a whole it is time to look at the systems on the network. When adding a new system it is important to take a look at the vendors configuration recommendations. Are there any security features that can be enabled? Another important step is to change any default passwords in the system.

Overall the goal in this step is to minimise the risks by utilising any defences of the systems on the network.

Keep Systems Updated

Lastly, all devices on the network needs to be maintained. Vulnerabilities will be found in the solutions used on the network, and there is nothing that can be done about it. As a business owner the only thing to do is to be aware and ensure to have a regular update schedule. When a vulnerability pops up, the patch needs to be applied as soon as possible. One way to do this is by automating the installation of updates. This ensures swift updates without adding the overhead of keeping track of when updates are released and applying them manually.

Installing updates without first testing them adds another risk in the form of supply chain attacks. However, the risk in comparison to the cost of mitigation is quite low. Every business needs to make their own analysis, but from my point of view, the benefit of swift updates outweigh the risks for most small companies.