The Cloud Experience Everywhere

Let’s talk security: Is the best password no password at all?


There’s a story that’s been circulating online for quite some time about a user who was found to be using the password ‘MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento’ during a recent IT audit. When asked why the password was so long, the user replied that he was told the password had to contain at least 8 characters and a capital. I think most people can relate to the joke, and if you’re anything like me, you’ve got over 350 different user names and passwords hidden away in a password vault. The efforts we go through to develop, remember and track passwords is matched only by the stress we feel worrying about a breach. So, in line with World Password Day on May 3rd, I thought it was worth highlighting a few best practices around passwords and password security.

GettyImages-700854543_medium_800_0_72_RGB (2).jpg

 1) It’s a problem before it’s in the news: check your current status

Firstly, it’s not news to anyone that password breaches are becoming more and more common. Recent breaches have hit big profile brands such as Uber and Deloitte, and it’s a good idea to look at sites such as haveibeenpwned or SpyCloud to see if your email address has been associated with any of the stolen password databases. The issue here is one of inconvenience – passwords need to be reset, but if you’ve shared passwords across multiple sites (which is not the best idea), it’s also necessary to reset those passwords. From a corporate perspective, there is also the concern around brand reputation and intellectual property theft – which is why companies such as SpyCloud have built a business model around an early warning breach detection service for enterprises.

2) Spark that right brain creativity: tips for choosing strong passwords

When it comes to choosing passwords, it’s important to think about a strong complex password, or, better still, passphrase. Go for combinations of letters, numbers, and symbols. Put memorable words together, add random symbols to make it harder to guess, and keep it long – 16 characters seems to be an accepted good minimum length. Of course remembering those mega long passwords isn’t going to be easy, so save them in a password manager to avoid reusing the same password over and over again. I use 1Password for all my personal logins, and don’t know a single one of my passwords – because 1Password takes care of that for me. There are a bunch of similar solutions that can be used in an enterprise environment as well from companies such as CyberArk, Centrify, and BeyondTrust.

3) Build it in: let’s visit the password protection method

If we turn to application development, and storing user passwords, it’s expected that a password shouldn’t be recoverable from the password database, and shouldn’t be known by anyone other than the user. Instead of storing passwords in plain text, or even encrypting passwords, application developers are advised to store passwords using a salted one-way hash based upon a strong hashing algorithm such as SHA-256 or bcrypt. Rather than go through all of the technical details of this method, it’s worth checking out Sophos’ excellent blog on the subject. So in an ideal secure world, every application developer follows this best practice and stores passwords using a one way hash with a suitably random amount of salt?

Unfortunately not, or haveibeenpwned wouldn’t have over 5 billion breached accounts in their database.

4) Don’t rely on passwords alone: enable MFA and SSO

HPE20160627190_800_0_72_RGB.jpgThe challenge with such password breaches is regardless of how well thought-out your password was, it’s not going to provide any protection if the hacker has managed to figure out how the password was stored in the database.  So that’s where the value of multi-factor authentication (MFA) and Single Sign On (SSO) comes into play.

According to Wikipedia, “Multi-factor authentication (MFA) is a method of confirming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something they and only they know), possession (something they and only they have), and inherence (something they and only they are)” – or, in more practical terms, it’s configuring online services such as Facebook, LinkedIn, Twitter, or Dropbox to request a one-time login code, sent via SMS or Google Authenticator, to be entered before approving access to their service. Enabling MFA gives the added safeguard that even if you lose your password, no one will be able to access your online account without access to the device providing the one time password - removing the reliance on a weak password as the only security barrier. (Tip: if you haven’t already done this for all of your online identities, do it now, to avoid the same problems that Mark Zuckerberg had).

Although MFA is used more and more often for protecting web services and social identities, many enterprises are taking advantage of the security that SSO provides – the user logs on using a ‘master’ identity, and then the SSO solution takes care of logging on to all other systems during the authenticated session. Advantage to the user – a single password to remember, and no need to maintain separate identities for all of the different corporate applications. Advantage to the enterprise – fewer support calls, and an easier approach to disabling user access when required. If you’re concerned about having to rely on a single password, combine the initial user authentication with biometric authentication, MFA, or encryption devices such as an RSA token.

5) Finally: Don’t trust everyone

Your bank isn’t going to send you an email requesting you to share your password. Nor is Facebook, Paypal, or your IT department (especially not to your private mail address). These are more often than not phishing attempts – social engineering tricks to get people to divulge their login details. Best advice here is to carefully check the website URL of any site you visit requesting this information, and if in doubt, don’t click. Many organizations now are delivering anti-phishing training to their employees, and you’ll also find various online trainings.

But the good news – if you have decided to use MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento as your password, it has still not been associated with any breaches according to haveibeenpwned. But don’t use it. Please. Don’t use ‘password’ either, as 3.5 million others have already had that idea before you. 

HPE Pointnext can help you architect and build a tailored, future-proof Identity and Access Management (IAM) platform for your hybrid IT operation, one that empowers employees and enhances their productivity. Working closely with your team and our IAM solution partners, we can take you every step of the way, from an initial assessment of your existing environment, to roadmap development, to solution implementation. We also can help your organization with security awareness training and other security education services. Learn more about HPE Pointnext Security services and start working with us today

Featured articles:

5 steps to better Identity and Access Management for Hybrid IT


0 Kudos
About the Author


Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and working in the Worldwide Security, Risk and Compliance Practice within HPE Pointnext Advisory and Professional Services. Simon is active on Twitter as @DigitalHeMan