Modern Password Guidelines w/ Steve McGowan

Modern Password Guidelines w/ Steve McGowan


In our new column, Steve McGowan our Security, Risk and Compliance Director takes you through some guidance on how to stay safe from cybercriminals. This time it’s covering his trip to a security event and what he learned from some of the world’s best Security Experts.

Recently I was invited Manchester City’s stadium for a security industry event. The guys at this event were responsible for cybersecurity at high street banks and major retailers.

These teams are the ones that have to worry about the bad guys we hear about and usually blame attacks on the Russians. More about that towards the end of this post!

It was eye-opening for me as I thought it probably wouldn’t be relevant to the type of clients we deal with in the SMB world, but as we’re always trying to improve, we like to understand more about enterprise-level organisations and see what they do, so we can then tailor it to make it appropriate for smaller organisations.

What shocked me is that there isn’t much of a difference.

Yes, they have much bigger infrastructures and bigger budgets, but no matter how big the organisation or the complexity of their systems, they’re often getting the basics wrong.

We think that hackers will sit watching buildings or with teams in vans trying to circumvent companies’ firewalls and breach their perimeter security as us geeks like to call it.

But the reality is they don’t need to.

We were lucky enough to be given a tour of the stadium. I’m not sure if you’re a football fan but to see behind the scenes at The Etihad was amazing for me. They even let me sit in Pep Guardiola's (heated, perfectly fitted) seat!

As we walked around I got talking to a highly respected security consultant. Banks hire him to hack into their systems. When I asked him how difficult it is, he said it can be very complex but most of the time, it’s easy.

They just need a user who’s not great at setting a password.

Here’s what an attack can look like:

  • Go on linked in.
  • Find and export a list of employees
  • Search google for a few of the names and work out their email address structure
  • Work out how to log in to their email system, usually by just going to a provider or the company website.
  • Try to log on to their webmail using a simple script using the list of emails and popular passwords
  • Once the hacker finds an account they can log in to they can then do further damage.
  • They’ll usually export all the users in the organisation from an address book.
  • Then launch an internal phishing attack because it will bypass protection and users trust emails that are from their colleagues.
  • Get a user to run some malware and they’ve got access to the network.
  • From there they’ll try to gain access to other accounts.
  • The complicated way is to export hash files and attempt to crack. Alternatively, they find old accounts with poor passwords that have been left on the network, but often their job is made easier.
  • Once they have access to a single user account they’ll have a look at policies that user has access to.
  • Usually, because you want all staff to follow them, they’ll find an IT Security Policy.
  • In that policy, it’ll have a password policy. That looks something like:

You must have a strong password, it must between 12 and 18 characters, contain lower and uppercase, a number and a symbol. This password must be changed every 30 days.

Or something to that extent.

  • The problem with that is they can give that logic to the password cracking application. For instance, in research carried out 32% of people will have a capital letter as the first letter and 1! or 123! at the end.

I know I’ve been guilty of this before.

Where users have been asked to choose a new password every month 18% will use the month and year in the password March 2019! for example.

  • Once they have the structure is usually easy for them to get an admin account to gain access to and from there, they can do what they li They obviously add more logic to it also in Manchester for instance if it was me, I’d get it to try all the footballers Cantona1! or Pogba123! will probably work!

So, what can we do to protect our businesses better?

Well, first of all, help your users understand how to create strong passwords.

I often suggest a phrase from your favourite film but replace the word “here’s looking at you Kev” is a great password that doesn’t have much logic but is easy to remember.

Please note some services won’t let you have spaces. (No matter how much I moan about it!)

Make it as long possible and without anything that could be predicted. So, no maiden names, or your dog’s name that you share lots of photos of on Instagram #scottydog

Also, stop using the same passwords for different sites.

That includes ScottyDogLinkedin and ScottyDogGmail.

If any of your users are involved in a breach, that information will be put up for sale or given away on the Darkweb. Hackers will use that information to try and gain access to other accounts. So, for instance, if a user was involved in the LinkedIn breach and uses the same password for his work email, his work email has also been potentially breached.

You can see if your email/password appears in major breaches by checking https://haveibeenpwned.com/. It will search the breach list and let you know if you are included in any.

We also have a service to monitor your organisation’s credentials to see if they are for sale on the dark web and alert you as soon as they are so that measures can be put in place to protect you. Get in touch to discuss this further and run a test today.

The best way is to use a password manager.

Password managers allow you to store all your passwords in a secure store. So instead of having to remember multiple complicated passwords you only have to remember one (very secure) password.

But isn't that just a single password to fail?

Though nothing is ever 100% perfect, however, you can manage the risk. Firstly, this password will be as secure as it can be (as detailed in the previous page). Also, with most leading password managers you are able to set up two-factor authentication, and device control. So, when you log in you will have to enter a code from your phone. It will also check that you are logging in from a known device. If you aren't you'll have to pass multiple security checks before being given access.

How do password managers work?

They help in a variety of ways. I like to recommend LastPass (https://lastpass.com). LastPass will create a password for you when you are signing up to a site that is a fully-secure mixture of letters, numbers and characters. It will then store it in a database. When you revisit the site, the manager will auto-fill the password for you.

Most of the leading systems will allow you to use multiple devices, so you can access your passwords from your laptop, desktop, phone and tablet.

LastPass will also check all your passwords to ensure that you are not sharing passwords between accounts and for major sites will go and change them for you.

Though there is a cost associated with these services (LastPass is priced at £12 per year) it can be a vital tool in staying safe online.

Two Factor Authentication

As mentioned above, many services now use two-factor authentication. You may already be using this on some services now. It’s where you get sent an SMS with a code or you have to check an app for a number when you log in.

If a hacker does manage to get one of your users’ passwords, they’ll get past the login but they won’t be able to go any further as they won’t have your 2nd device to gain the access code.

Now, there are ways the guys I met at the event will get around that too but for our size, it’s going to be criminals trying their luck. Not state-sponsored hackers.

So, have a good password, don’t have set policies for structure and enable 2fa (the cool way to say Two-Factor Authentication).

These are requirements of Cyber Essentials. Have you considered accrediting your company?

Cyber Essentials is a government and industry-backed scheme to help all organisations protect themselves against common cyber-attacks.  It sets out basic technical controls for organisations to adhere to. ATG are accredited auditors and can help you protect your business and get certified. Download our guide for more info.

Finally, a bit of a funny fact I was told at the event. You may or may not know that the big hacking groups are named by their counterparts. Russians tend to be called Bears and the

Chinese Pandas. I’m not sure what they call us. Secret squirrels perhaps?

A suspected arm of Russian intelligence is called the fancy bears. Now, you may think that’s because they use high-end technical exploits. They may well do but that’s not why. The guy who named them just happened to be listening to US Pop sensation Iggy Azalea’s Fancy at the time so that’s what they’re called! I’m not sure how happy they’d be about this!

If you’d like to review your cyber security, understand the risks facing your business or have any questions, feel free to give us a call on 01527 570 535. Alternatively, fill out the contact form below and one of our solutions specialists will get in touch!