CIO Today HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR THURSDAY JANUARY 19

Close Search Box
CIO Today
NETWORK SECURITY
Worried About Cybersecurity? Insist on Long Passwords
Posted December 15, 2016
Worried About Cybersecurity? Insist on Long Passwords
Next Story
EARLIER
Symantec: New Year, New Threats to Cybersecurity
THIS STORY
Worried About Cybersecurity? Insist on Long Passwords
Next Story
LATER
Intel Security Pushes for New Protection Paradigm
YOU ARE HERE:   HOME arrow NETWORK SECURITY arrow THIS STORY
NEWS OPS

By Brice Wallace. Updated December 15, 2016 9:46AM

SHARE

ALSO SEE

"I have two dogs" may not sound like much, but it could be the foundation for an improved wall against costly and time-consuming cyber attacks.

At a recent panel discussion [during] Cybersecurity Awareness Month, Kevin Howard, principal security architect at cyber security and risk management company Secuvant, suggested that companies insist on having their employees use lengthy passwords, or even phrases, to keep the bad guys out of their computer networks.

"Password lengths -- 12plus, 15-plus [characters] -- are the easiest way to maximize the pain that I feel when I try and grab these passwords," Howard said, referring to his work demonstrating how easy it is to get into corporate systems. "The problem is that a 15-character password is hard to remember."

However, a hard-to-crack password can be a phrase rather than a word. That's where "I have two dogs" comes in.

"Maybe throw in some exclamation marks or periods or spaces," he said. "Now, all of the sudden, you have length, you have complexity and you know what it is."

However, even common phrases can be an issue. Some password-crackers scan text of phrases from books as a way of searching for a cyber pathway into a system, he said.

"So coming up with unique phrases is usually where I like to start, and keeping them at least above 10 to 12 characters is probably a minimum," Howard said.

The chamber says cyber attacks cost businesses $400 billion annually, and as much as 75 percent of breaches go undiscovered for weeks. Cyberspace has no boundaries, making it impossible to predict when an attack may happen. To combat the problem, it suggests that companies and organizations set stronger passwords, change them regularly and never share them; use privacy settings; limit the amount of personal information online; update software; and be cautious about enticing online offers.

"Most common corporate policies is a minimum of eight-character passwords. In reality, that's not enough," Howard said. "We can take an $8,000 cracking rig and actually crack most organizations' passwords in minutes. That's just the nature of the business. If the password is part of a dictionary, we can take a combination of dictionary words, throw some numbers on there -- 'baseballl3,' for instance. OK, maybe you want to throw in a special character -- 'baseballl3' with an exclamation mark. All of that can be automated within minutes and we do it today," he said.

The panel also included representatives from the FBI, Dental Select and the Utah Department of Technology Services. Each panelist noted that cyber threats are inevitable.

"The problem is that cyber crimes, which everyone here on the panel can tell you, is that they're not all in the state of Utah, right?" said James E. Lamadrid, an FBI supervisory special agent and coordinator of the FBI Salt Lake City Cyber Task Force Program. "They can be found at a keyboard a thousand miles away, in Romania, creating your malware and targeting a business here in Utah. So that makes it very challenging."

© 2017 The Enterprise syndicated under contract with NewsEdge/Acquire Media. All rights reserved.

Tell Us What You Think
Comment:

Name:

Peter:
Posted: 2016-12-19 @ 12:12am PT
Ditto what Bryan said.

Forcing users to change their passwords regularly leads to worse security because that leads to the password being written down.

Jimmy Toriola:
Posted: 2016-12-18 @ 3:15pm PT
It is true that creating passwords with phrases that can not be easily be broken will safeguard us in the long run.

Bryan:
Posted: 2016-12-17 @ 7:25am PT
It must be easy being a cybersecurity professional today. You can speak nonsense with no supporting evidence and make the press and your boss happy.

How many cases are there were a more complex password would have helped? The bad guy needs to have the hashed password before he can run a password cracker, in that case, he's already broken the system and finding the password is mostly useful for finding password reuse on other systems, which is a bad idea.

MORE IN NETWORK SECURITY

Next Article >

NETWORK SECURITY SPOTLIGHT
This Spotlight
Is Brought to You By:

INSIDE CIO TODAY NETWORK SITES SERVICES BENEFITS