Why Change your Password Every 3 Months?

At work, you’re probably required to change your password every 3 months or so.

Why? To restrict access.

It’s to kick out an attacker that may already be inside your system.

That’s it; simple and logical eh.

Because remember the golden rule – it’s not IF you’re compromised, it’s WHEN (more here)

Small business owners – it’s good practice to do this at least once every 3 months, ideally more. And when you do, be mindful of this sad stat – the more often employees are required to change passwords, the higher the chance it will be both written down, and super crappy, example: Summer2014 and Winter2015

A good password looks like this:
M{c^TJ.`?W@Y?I6i1@O%yq4?o

Blog tag = passwords

This post has been brought to you by Nuix and KeriBlog.

Meet Nuix here.

 

 

The Math Behind Having a Long Password

Longer passwords are better, but why? 2 reasons.

1st – this mathematical formula:

XY= Z

2nd – that a password guessing script can make 25 billion guesses, per second.

So! 

The password – kerio – uses only lower case alphabetical characters, of which there are 26.

So our formula is: 265 = 11 billion = cracked in 0.5 seconds

The bigger both numbers =
the better off you are

Here’s a proper, 25-digit password:  “)pCdjAL’x*^KgV3XE!x*w!1P

It uses lower case letters (26), upper case (26), numbers (10), and symbols (32) = 9425 = 2.1291014e+49 = cracked in weeks = attacker likely moves onto an easier target

***

This post has been brought to you by Nuix and KeriBlog.

Meet Nuix here.

 

 

How to Use a Password Manager

A strong password looks like this:

That’s difficult to brute force, and a dictionary attack won’t work on it… but how do you remember this?

You don’t – your password manager does.

Here, I made a fake one to show you, this is inside my manager.

How it works:

1make 1 master password, like 25 characters long, write it down on paper, and ideally, memorize it, then store a physical copy somewhere other than home
2 – use that master password to log into the manager. That’s it, no more remembering from here on
3 – use the password generator to create a unique password for each site you log into

Add login information, notes, click okay to save.

To log into a site: go to manager > copy the password > back to browser > paste > done

4 – routinely backup the database, and store it on 2 USB keys in 2 locations (why? Here.)

Which manager program to use?

Here’s a shopping list:

– 256 encryption minimum, AES-256 (Advanced Encryption Standard)
– ideally the backup file is encrypted
– has the ability to exclude certain characters when generating passwords
– can sync between devices
– be wary of plugins that are independent of any software
simple is best! It’s like a car – the more features it has, the more there is to break

Possible Programs:

– KeePassX – open source

– 1Password – (a Canadian company!)

– Password Safe – open source

Important: this is not an endorsement any of these programs, do your homework

This post has been brought to you by Nuix and KeriBlog.

Meet Nuix here.

 

 

Why an 8-Character Password is Not Enough

Take a common password8 characters in length, composed of 1 word, 1 numbers and 1 punctuation mark:

The Attack

Using a script (a program that automatically executes tasks instead of a human), the script starts to guess all possible 8-character password combinations. This will take about 3 days.

This is a brute force attack – very little elegance, just plain old grinding it out.

The More Sophisticated Attack

Using a dictionary attack, again the attacker runs a script, but this time instead of random guessing, dictionaries of words are tried first, specifically, the most common password words are tried.

See yours in here?

The Defence

Choose 3 obscure words, string them into a sentence separated by punctuation and numbers.

***

This post has been brought to you by Nuix and KeriBlog. Meet Nuix here.

 

 

Introducing the Nuix & KeriBlog Security Series

Announcing the launch of an all-new security series here on KeriBlog, brought to you by Nuix and KeriBlog.com.

I’m especially excited to get Nuix’s input on the posts, because I am no expert, and the type of topics we’ll talk about is baby stuff for them.

Who is Nuix?

Found in 45 countries around the world, Nuix specializes in threat intelligence, and works with some of the world’s leading enterprises and regulatory agencies, law enforcement and anti-corruption bodies, federal government departments, and advisory firms.

They’re a technology company that enable people to make fact-based decisions from analyzing and extracting knowledge from unstructured data.

Think of it like an “Anomaly Machine” – upload any type of file (logs, emails, documents), and it will hoover up the text and help you find patterns among thousands+ of files.

We’ll make it so you don’t
recoil in horror seeing this:

About the Security Series

We’ve designed an 8-part series to teach you about how to stay safe online. Our first topic is passwords. Did you know that with the help of a tool, I can make 25 billion password guesses, per second. Billion.

Upcoming topics: 

  1. Passwords
  2. So You Clicked on a Bad link
  3. Malware, Viruses, Trojans and more
  4. What is a Pentest and why you need one
  5. XSS is not your friend
  6. Let’s go Phishing
  7. The MITM Attack
  8. Securing a WordPress site

And they’re going to attack me. Neat eh.

I’ll be the guinnea pig, and they’ll attempt (and probably succeed) in breaching my social media accounts, blog, and email to show you how easy it is to be compromised.

Remember the golden rule of online security:
it’s only as good as YOU make it.

Small business owners – a responsibility comes with accepting credit cards and customer’s personal information, conduct your business security accordingly.

***

This post has been brought to you by Nuix and KeriBlog.