Passwords Audit – Why and What are the risks

Passwords have become part of our daily lives. Passwords are extra protection to our personal and business data. They are often the first line of defense and, in many cases, the only line of defense against data breaches. A password can be anything like your mobile unlock PIN, ATM PIN, login password, etc.  

It is very critical to protect the password even if it is in a personal or work environment. Many people reuse the password because they do not like remembering the password most of the time. Also, they do not like changing the password after few months. Many do not care or know the seriousness of changing the password during regular intervals. 

Now let me explain you why passwords are important

Passwords are always a layer of protection to our personal and business information. It is the key for accessing our information, like a key to enter into our home. It is you who decides whether to use an easily breakable lock and key or to go for a superior one to secure your home. 

Cyber Criminals always look for low-hanging fruits i.e., a weak password that is easy to crack in a matter of time. The longer and complicated your passwords are, the more secure your data is. Even with passwords as a part of our life, most people lack some password awareness and the consequences of a breach until they are hacked. Even some big companies sometimes fail to create awareness among their employees. Only after a major breach, which might cost millions, will they be coming up with a security awareness and training program. Being proactive in terms of security can save you from a huge crisis. 

A password breach can cause severe damage to a business. It will ruin the reputation, trust, and value of an organization if they can’t secure their client and user information. Yahoo is a big example where they lost their whole reputation and value of their company in a single breach and the incident is still haunting Yahoo. 

Lack of IT policy and governance are the main causes of password breach. An organization should identify, assess, and respond to every IT risks which may impact the business badlyFor tackling such a situation easily, every organization should have a proper Governance Risk and Compliance ( GRC ) management program. 

An effective IT policy can easily predict and prepare us for the risk thus helping to overcome any possible damage. The best way to make the users aware of the need for stronger passwords is to show them how they can be cracked easily. Most end-users do not have any idea about password cracking tools that are free and easy to use.  

Overcoming such situation is so important before it becomes an issue. This is where AnaData can help you. 

Social engineering attack is a common method used against the users to get the password. Common Social engineering attacks are Phishing, Spear Phishing, Vishing, Quid pro quo, and baiting. We provide Social engineering program, which is robust and tailor-made, to help you understand your strengths and ability to fight back against cybercriminals using social engineering techniques. We partner with our clients, understand their business models, and design a social engineering program that well suits their business environment.  

Also, ClearGRC is our product that helps you with Policy and Process Reviews, Exception Management, Compliance Management, Risk Management, Internal Control maintenance, Assessments, Notifications, Reminders, and Reports. For every known pain we built a simple feature that makes the job easier and far more professional. ClearGRC provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. 

The National Institute of Standards and Technology (NIST) sets the information security standards for federal agencies. Through its Special Publication (SP) 800-series, NIST helps organizations meet regulatory compliance requirements such as HIPAA, and SOX.

The recent update to the NIST password standards (SP) 800–63–3 flips the script on widely accepted password policies, challenging its effectiveness altogether. The new framework is all about simplifying password management for users by leaving out overly complex security requirements.

The Special Publication (SP) 800–63 suite provides technical requirements for federal agencies implementing digital identity services. The publication includes an overview of identity frameworks; using authenticators, credentials, and assertions in a digital system; and a risk-based process to select assurance levels. Organizations have the flexibility to choose the appropriate assurance level for their needs.

In short, the new NIST guidance recommends the following for passwords,

  • 8 character minimum when a human set it
  • 6 character minimum when set by a system/service
  • Support at least 64 characters maximum length
  • All ASCII characters (including space) should be supported
  • Truncation of the secret (password) shall not be performed when processed
  • Check chosen password with known password dictionaries
  • Allow at least 10 password attempts before lockout
  • No complexity requirements
  • No password expiration period
  • No password hints
  • No SMS for 2FA (use a one-time password from an app like Google Authenticator)

You can get more information about NIST 800–63 guidelines here

References:

  1. NIST Special Publication 800–63B
  2. NIST Special Publication 800–63