As SCADA networks become increasingly interconnected, they are at risk. In many cases, passwords are the primary line of defense protecting user accounts from being taken over.
“Criminals are still using passwords they stole in 2012 to attack and take over accounts today. Companies need to guide users to set better passwords at the time of account creation and they need to help users maintain strong, uncompromised passwords whenever their credentials are exposed in a breach anywhere in the world.” (Feb 12, 2020 - https://www.helpnetsecurity.com/2020/02/12/credential-exposure-report/ )
Enforcing uniqueness and complexity of case-sensitive combinations of letters mixed with special characters are more difficult for automated brute-forcing tools to mathematically guess than using simple combinations of words and numbers—and the longer the password the better. While these best practices are not a inclusive guideline to securing your network having strong passwords is a great starting point.
Passwords can be an inconvenience to change and to remember, especially when you have dozens of applications and accounts to log into. With the increase in phishing and ransomware attacks, passwords can be the main line of defense when securing your data.
How to Create a Strong, Secure Password
So what does make a strong password?
It should not contain any personal information, such as a name, birthday, anniversary, or your dog’s name. These can easily be tied to you, especially if it can be found on social media.
It should be sufficiently long to make brute force attacks time consuming. The general recommendation is 15 - 20 characters. The longer the password the better.
Use a random combination of upper and lower case letters, numbers and special characters. Inject a variety of characters that make your password unique.
Alternatively use a passphrase, which is a sentence that includes capitalization and numbers with random punctuation. For example Th3w3@th3r!nAnt@rcT!cA!sABli$$ful-25-. (The weather in Antarctica is a blissful -25- ) Add a space at the end (if the application you are using allows it). Like an invisible character.
Do not use the same password for all your accounts. Sharing passwords between sites is like playing Russian Roulette. All it takes is one website hack to wreak havoc on your day, especially if that password is used for multiple accounts (which you should not be doing).
Passwords need maintenance. Yes passwords should be changed – how often is yours? The consensus varies but if you have a regulatory requirement, then it is more often. A consistent basis is at least once every three or four months.
Do not write passwords down on a post-it note to be kept at your desk or keep them in a file on your computer / phone. This then makes the passwords vulnerable to discovery by someone else.
K9 Nose Best ---
The Danger of Ignoring Data Breaches
If your password gets exposed in a breach, then every account where you reused it is at risk. It is not a question of if your data will get exposed — it is just a matter of when. Assume you used the same password for 10 sites (or more) and one of them gets breached; you now need to change the password on all 10+ sites instead of one.
Know When It's OK to “Lie”
The need to be unique also applies to security questions; don't answer them consistently across sites. A much better security approach is to lie, so to speak, by giving the place you were born "name" as a unique, 16-character sequence of letters, numbers and special characters - just like a password.
Your personal email, which is where you access all those accounts when you've forgotten your password. You should keep one email account linked to online banking, credit card companies, financial accounts and other important accounts. Secure this email address by only giving it out when necessary. Then have a different second email address for less important accounts.
[A "Thank You" to Monkey, Cody, Pippin and Ems for posing.]
Editorial note: Our articles provide educational information for you. Our goal is to increase awareness about cyber safety.
Marilyn Sousa, CISA, CISM
Senior Cyber Security Engineer