1. Knowledge Base
  2. Cybersecurity
  3. Lex Mundi Core Standards and Recommended Practices

How to Create Secure Passwords - Proper Password Management

The National Institute of Standards and Technology (NIST) provides a useful overview of passwords (click here to see Appendix A - Strength of Memorized Secrets). They provide this comment:

Password length has been found to be a primary factor in characterizing password strength [Strength] [Composition]. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.

The minimum password length that should be required depends to a large extent on the threat model being addressed. Online attacks where the attacker attempts to log in by guessing the password can be mitigated by limiting the rate of login attempts permitted. In order to prevent an attacker (or a persistent claimant with poor typing skills) from easily inflicting a denial-of-service attack on the subscriber by making many incorrect guesses, passwords need to be complex enough that rate limiting does not occur after a modest number of erroneous attempts, but does occur before there is a significant chance of a successful guess.

Some basic advice from Google on creating a strong password:

  • Use a different password for each of your important accounts, like your email and online banking accounts. Re-using passwords is risky. If someone figures out your password for one account, it's possible they could get access to your personal information, or other online services like shopping or banking.
  • Using numbers, symbols and mix of upper and lower case letters in your password makes it harder for someone to guess your password. For example, an eight-character password with numbers, symbols and mixed-case letters is harder to guess because it has 30,000 times as many possible combinations than an eight-character password with only lower case letters.
  • Create a unique password that's unrelated to your personal information and uses a combination of letters, numbers, and symbols. For example, you can select a random word or phrase and insert letters and numbers into the beginning, middle, and end to make it extra difficult to guess (such as "sPo0kyh@ll0w3En"). Don’t use simple words or phrases like "password" or "letmein," keyboard patterns such as "qwerty" or "qazwsx," or sequential patterns such as "abcd1234" which make your password easier to guess.

So how do you come up with a long password that doesn't use words or phrases? Some suggested approaches:

Take a sentence and turn it into a password.

The sentence can be anything personal and memorable for you. Take the words from the sentence, then abbreviate and combine them in unique ways to form a password.  E.g. 

 “The first house I ever lived in was 613 Fake Street. Rent was $400 per month.” You can then turn that into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. 

Multiple unrelated words

The Oregon FBI says: "Instead of using a short, complex password that is hard to remember, consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.

For example, a phrase such as "VoicesProtected2020WeAre" is a strong passphrase. Even better is a passphrase that combines multiple unrelated words, such as “DirectorMonthLearnTruck.” Source

Person-Action-Object (PAO) method

Select an image of an interesting place (Mount Rushmore). Select a photo of a familiar or famous person (Beyonce). Imagine some random action along with a random object (Beyonce driving a Jello mold at Mount Rushmore).

Once you create and memorize several PAO stories, you can use the stories to generate passwords.

For example, you can take the first three letters from "driving" and "Jello" to create "driJel." Do the same for three other stories, combine your made-up words together, and you'll have an 18-character password that'll appear completely random to others yet familiar to you.

Source: http://lifehacker.com/four-methods-to-create-a-secure-password-youll-actually-1601854240 

Remember - never reuse a password!

Firm policy example - User Passwords

See attached file with an member firm's Information Security: User Password Policy

Here are the first few sections:

Overview

Passwords are an important aspect of information security.  A poorly chosen password may result in unauthorized access and/or exploitation of Firm Name resources.  All users, including contractors and vendors with access to Firm Name systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Purpose

This policy defines the requirements for establishing the password configuration settings and managing fixed passwords used on any Firm computer and communications system.

Scope

This policy applies to all Employees, Non-Partner Attorneys, Partner Attorneys, and External-Party Vendors who have or are responsible for an account on any system that resides in Firm Name’s environment, or managed systems in the cloud.

Password checker

Pwned Passwords

Pwned Passwords are 551,509,767 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for data-cke-saved-href="https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2#cloudflareprivacyandkanonymity">Read more about how HIBP protects the privacy of searched passwords.

https://haveibeenpwned.com/Passwords

Pwned websites

Breached websites that have been loaded into Have I Been Pwned

Here's an overview of the various breaches that have been consolidated into this Have I Been Pwned. 

https://haveibeenpwned.com/PwnedWebsites 

Stolen-passwords check (tool)

Stolen credentials can happen on third party, non-work websites where employees reuse corporate credentials.

You can use EEC Pro - https://info.knowbe4.com/email-exposure-check-pro-chn; .

This is how it works:

iECC Pro - iidentifies the at-risk users in your organization by crawling business social media information and hundreds of breach databases. This is done in two stages:

First Stage
Does deep web searches to find any publicly available organizational data. This will show you what your organizational structure looks like to an attacker, which they can use to craft targeted spear phishing attacks.

Second Stage
Finds any users that have had their account information exposed in any of several hundred breaches. These users are particularly at-risk because an attacker knows more about that user, up to and including their actual passwords!

It is fully automated and free.

You get two things:

Here's an example of the information you get for each email address:

Firstname.Lastname@memberfirm.com 

Breach Data:

Adobe (adobe.com)

2013-12-04 00:00:00 +0000 UTC

In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

Data in Breach: Email addresses, Password hints, Passwords, Usernames,

B2B USA Businesses

2017-07-18 07:38:04 +0000 UTC

In mid-2017, a spam list of over 105 million individuals in corporate America was discovered Read more about spam lists in HIBP.

Data in Breach: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses,

LinkedIn (linkedin.com)

2016-05-21 21:35:40 +0000 UTC

In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

Data in Breach: Email addresses, Passwords,

River City Media Spam List (rivercitymediaonline.com)

2017-03-08 23:49:53 +0000 UTC

In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation. Once de-duplicated, there were 393 million unique email addresses within the exposed data.

Data in Breach: Email addresses, IP addresses, Names, Physical addresses,