Ensuring the security of personal data is a key requirement of the General Data Protection Regulation, found under Article 32 (Security of Processing). This obligates organisations to ensure that appropriate technical and organisational measures are in place to protect personal data. Often, the first point of protection for this data is the access controls with which it is secured.
Usernames and passwords are still a main-stay method of authentication with the products and services that we use to manage our professional and personal lives. Additional layers of security such as multifactor authentication serve to augment this basic access control, but many services still rely on a combination of username and password to secure access.
As seen recently with the disclosure of Nord VPN user accounts, many people are still using relatively simple and commonly-used passwords to secure their accounts.
The Nord VPN breach of credentials happened due to a technique known as credential stuffing being employed to test whether common passwords were used to secure Nord VPN accounts. In this case, Nord VPN shared some responsibility for this attack being possible because at the time additional verification methods such as multi-factor authentication was not available.
Responsibility is also shared with account holders who used common, non-complex or shared passwords across their other accounts that were breached, enabling attackers to target Nord VPN accounts.
Both users and service providers share responsibility for doing their part in securing credentials – users when choosing a password and how to manage it, service providers in facilitating strong password choices, securing that password and adding additional layers of security to provide defence in depth.
Password Best Practices
This type of attack would have been significantly more difficult to carry out had users been applying modern password practices. Contrary to popular belief, this does not include changing a password regularly. In fact, NIST (the US National Institute of Standards & Technology) Digital Identity guidelines do not recommend password rotation as a measure to secure credentials. Unless there is a reason to suspect that your password has been disclosed, regularly changing it is now discouraged.
There are several best practices that should be applied:
The longer the better
Password length combined with complexity is one of the most important factors in choosing a secure password. The selection of long passwords (recommend supporting up to 64 characters) should be facilitated. A key method for achieving password entropy (the measurement of how unpredictable a password is) is by increasing its length.
Use a Password Manager
With the problem of an ever-increasing number of passwords needing to be remembered, password managers (or password vaults) have offered a solution to both enabling the selection of long and complex passwords and their secure storage. There are many offerings on the market, and one may suit a particular use-case more than another (for example if a business needs password management for teams of people). Of course, a password manager is only as good as the method used to secure it and, with that in mind, consideration should be given to the passphrase chosen as your master password to secure access to the password manager itself and whether multifactor authentication is available.
Popular password managers include:
More password management solutions can be found here.
Use Multifactor Authentication (MFA)
Passwords are best used in combination with other authentication factors such as using something you have (e.g. authenticator key) and something you are (e.g. fingerprint or another biometric marker). This is commonly known as Multifactor Authentication (MFA) and is a cornerstone of modern security practices. Whenever possible, MFA should be enabled with the services that you use.
Bad Password Habits
As a consequence of having to remember so many passwords, most of us have practised bad password habits. These are some common traits of bad password management practices:
- Re-using passwords across multiple accounts;
- Using short and non-complex passwords;
- Writing down passwords;
- Using commonly known facts as part of a password (e.g. birthdate, pet name);
- Using common words or phrases (e.g. ‘password’ or ‘123456’);
- Using characters that are in close proximity on the keyboard (e.g. ‘qwerty1234’)
- Using all lower-case characters & not combining with numbers and symbols.
How to check if your credentials have been breached
An excellent resource to check if an account has been breached in the past is to use Have I Been Pwned, a service that keeps track of data breaches, including password disclosures.
How can organisations protect their user’s credentials?
Within an organisation, an Identity and Access Management solution should be used that governs access to the organisations’ assets, with password policy and additional layers of security controls managed by the IT security function.
For many small-to-medium-sized businesses, however, a hybrid model of organisation-managed and externally managed services is often used and having a single account to access all these services is not possible. In this case, where staff need to manage many accounts, and as such need to manage many strong (and hard-to-remember) passwords, businesses should equip staff with the tools needed to do this. Password management applications are part of this solution.
Trilateral’s advisors can support you in meeting your security and compliance needs. For more information visit Trilateral’s Data Governance page and contact our team.