Worried About Cybersecurity? Insist on Long Passwords
By Brice Wallace. Updated December 15, 2016.
"I have two dogs" may not sound like much, but it could be the foundation for an improved wall against costly and time-consuming cyber attacks.
At a recent panel discussion [during] Cybersecurity Awareness Month, Kevin Howard, principal security architect at cyber security and risk management company Secuvant, suggested that companies insist on having their employees use lengthy passwords, or even phrases, to keep the bad guys out of their computer networks.
"Password lengths -- 12plus, 15-plus [characters] -- are the easiest way to maximize the pain that I feel when I try and grab these passwords," Howard said, referring to his work demonstrating how easy it is to get into corporate systems. "The problem is that a 15-character password is hard to remember."
However, a hard-to-crack password can be a phrase rather than a word. That's where "I have two dogs" comes in.
"Maybe throw in some exclamation marks or periods or spaces," he said. "Now, all of the sudden, you have length, you have complexity and you know what it is."
However, even common phrases can be an issue. Some password-crackers scan text of phrases from books as a way of searching for a cyber pathway into a system, he said.
"So coming up with unique phrases is usually where I like to start, and keeping them at least above 10 to 12 characters is probably a minimum," Howard said.
The chamber says cyber attacks cost businesses $400 billion annually, and as much as 75 percent of breaches go undiscovered for weeks. Cyberspace has no boundaries, making it impossible to predict when an attack may happen. To combat the problem, it suggests that companies and organizations set stronger passwords, change them regularly and never share them; use privacy settings; limit the amount of personal information online; update software; and be cautious about enticing online offers.
"Most common corporate policies is a minimum of eight-character passwords. In reality, that's not enough," Howard said. "We can take an $8,000 cracking rig and actually crack most organizations' passwords in minutes. That's just the nature of the business. If the password is part of a dictionary, we can take a combination of dictionary words, throw some numbers on there -- 'baseballl3,' for instance. OK, maybe you want to throw in a special character -- 'baseballl3' with an exclamation mark. All of that can be automated within minutes and we do it today," he said.
The panel also included representatives from the FBI, Dental Select and the Utah Department of Technology Services. Each panelist noted that cyber threats are inevitable.
"The problem is that cyber crimes, which everyone here on the panel can tell you, is that they're not all in the state of Utah, right?" said James E. Lamadrid, an FBI supervisory special agent and coordinator of the FBI Salt Lake City Cyber Task Force Program. "They can be found at a keyboard a thousand miles away, in Romania, creating your malware and targeting a business here in Utah. So that makes it very challenging."