BLOG HOME > Cybersecurity > How to Set Strong Passwords: Password Management Best Practices

How to Set Strong Passwords: Password Management Best Practices

George Mateaki, SecurityMetrics, CISSP, QSA
By: George Mateaki
Security Analyst

Get Started with PCI Compliance

Start Here

Learn what your business is doing wrong with passwords. 

Multi-factor authentication is one of the best ways to secure your passwords. Multi-factor authentication includes at least two of the following:

  • Something you know (password, code, etc.)
  • Something you have (code sent to your phone)
  • Something you are (fingerprint scan, etc.) 
Part of the authentication process includes passwords, but unfortunately passwords can bring their own set of problems.

The problem with passwords

The biggest problem with passwords is they can be broken fairly easily through brute-force and dictionary attacks. Programs like John the Ripper and L0phtCrack are used to crack even complex passwords.

Human nature also makes passwords insecure. Employees tend to choose passwords they can remember easily, often making it easy for a data thief to crack through social engineering. Many employees also tend to write down passwords or even share them with others for more convenience.

Finally, there’s the matter of storage. Many applications transmit passwords in plaintext, making it easy for hackers to find and use.

Unfortunately, many businesses don’t realize just how easily cyber thieves can crack a password, especially if it’s a common one. As a result, they have poor practices when it comes to password security.

  • Sharing credentials:  sometimes employees will share accounts and credentials to save time. However, this makes it easy for social engineers to quickly gain access to sensitive data. 
  • Not updating passwords regularly:  for many hackers, it’s only a matter of time before they crack a password, so businesses that have had the same passwords for their accounts since the day the company started are vulnerable. 
  • Choosing words like “password” or “admin”:  these passwords are very common and are likely the first words hackers guess when trying to break into your remote access.  
SEE ALSO:  Top Ten PCI Requirement Failures: Where is Your Business Struggling?

Do we even need passwords anymore? 

It’s true that passwords alone will not secure your data very well, but it’s the baseline. The fact that many businesses aren’t even using basic password security shows how vulnerable their data may be.

Eventually passwords may not be needed anymore as technology develops, but currently your devices and applications will still need unique, strong passwords.Default configuration:  businesses will often keep the default passwords that were established when their routers/POS systems were set up. Most default passwords have been published on the internet, so that makes it fairly easy for hackers to break into your devices.   

Get my free SecurityMetrics PCI Guide

Download Now

How to set strong passwords 

So how do you make sure your passwords are secure? Here are some basic practices.

Assign employees unique credentials/change default passwords 

Make sure your employees aren’t using the same password or usernames. This will prevent social engineers from getting access to sensitive data simply by targeting one employee. Many companies will create a numeric user name that has absolutely no association with the actual name of the user. Changing the administrator account name to admin may meet the letter of the law but misses the intent. The administrator user name should be changed to something that does not indicate an administrator. This goes for any elevated access account used as the master/root access if the technology allows for this.

You’ll also want to change all the default passwords on devices, otherwise you’re opening up your network to hackers.

The longer your password, the better. Just like larger encryption keys are harder to break, longer passwords are more difficult to crack. The PCI DSS recommends businesses have passwords of at least eight characters, though I recommend at least 10-15 characters.

You’ll also want to make them complex, using a mixture of numbers, symbols and letters. This seems like a no-brainer, but you’d be surprised how many people don’t follow this rule.

Have limited login attempts:

Set a number of times your employees can try to log into a system. After a number of unsuccessful logons, have the account lock out the one trying to get in. This will help prevent brute-force attacks and social engineers trying to guess passwords.

SEE ALSO:  3 Data Security Best Practices

How to create a strong password

Now days, using your favorite sport as a password doesn’t cut it anymore. Here’s a list of the top ten popular passwords:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball

Some additional passwords in the top 25 include, “dragon,” “welcome,” and “starwars.” None of these passwords are secure because they’re too easy to guess, being too common or relying on keyboard patterns. Hackers know these lists well and often use them as a first step to cracking your password.  If any of your passwords are on this list, you’ll want to change them as soon as possible.

Your best practice is to do a passphrase that’s unique to you. Take a phrase such as “I wear my sunglasses at night” and use the first letter of each word. Combine it with a number, such as a date, and you have a stronger password. Example: I wear my sunglasses at night= Iwmsg@n1980!

You likely know these, but a few other basic guidelines for passwords include:

  • Use a mixture of upper and lower-case letters
  • Don’t include name or other personal information
  • Replace some letters with numbers
  • Use nonsense phrases, misspellings, or substitutions
  • Do not use repeating patterns between password changes
  • Do not use the same passwords for work and personal accounts
You can’t really afford to have weak passwords. Ultimately a password isn’t going to completely secure your data. What you really need is to use a combination of multi-factor authentication, encryption, and other protocols to make sure your data is secure. But having a strong password is a good start.

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 

Join Thousands of Security Professionals and Subscribe