October: Cyber Security Awareness Month 2024
Keeping Hackers at Bay: The Power of Strong Passwords and MFA
Passwords
Creating strong passwords is one of the most effective ways to protect your online accounts and personal information from cyber threats.
Passwords should be long, strong, and unique. You should be aiming for at least 12 – 16 characters ideally as a minimum. The longer the password, the harder it is for hackers to crack using brute-force methods.
Combining uppercase and lowercase letters adds complexity to your password, making it harder to guess. Use numbers (0-9), symbols (like @, #, $, %) and upper and lowercase characters in your password to increase its strength and add another layer of complexity.
Don’t use easily guessable words like “password,” “123456,” or “qwerty.” Avoid using easily obtainable information, such as names, birthdays, pet names or simple patterns like “abcd” or “1111.” Consider using a combination of random words or a phrase that is memorable to you but difficult for others to guess. For example, “Blue!Sweet$Tide51” combines unrelated words, symbols, and numbers. Please see the advice from the NCSC on using 3 random words.
Never reuse passwords across multiple sites. If one site is compromised, attackers can use the same credentials to access your other accounts. Consider the use of a password manager which can generate and store complex passwords for you. This way, you only need to remember one strong master password. Please consider a cloud password manager solution, this will allow for ease of use, scalability, reliability, and security.
Why Strong Passwords Are Important
Strong passwords defend against various types of cyber-attacks, such as brute-force attacks (where hackers try all possible combinations) and credential stuffing (where hackers use stolen credentials from one site to access another).
Weak passwords can make it easier for attackers to gain access to your personal information, financial data, and other sensitive details, leading to identity theft and financial loss.
Please see the table below showing how long it takes a hacker to brute force passwords:
Figure 1- https://www.hivesystems.com/
Strong passwords help protect sensitive information, whether personal (like emails, photos, or medical records) or professional (like business documents or customer data).
All organisations should require strong passwords as part of their security policies to comply with regulations and protect data from breaches.
A compromised account can be used to send spam, spread malware, or impersonate you, damaging your reputation.
Strong passwords prevent unauthorised access to devices and networks, safeguarding your data and that of others connected to the same network.
Tips
Change passwords periodically, especially if you suspect a breach. It is the advice of the NCSC to not set an expiry on user accounts, and only change upon suspicion of compromise. For administrator accounts, these should be changed regularly, and have more stringent conditions applied to them, e.g. use 20-character passwords at a minimum, change every 60 days minimum. The same should be applied to service accounts using Group Managed service accounts (gMSA) to ensure password rotation is achieved every 30 days and sets a 240-byte password. Use fine grained password policy for multiple users, such as students, staff, privileged users and system administrators.
Keep abreast of data breaches and security threats to know when to change your passwords. The Jisc cyber security community is a great way of achieving this. If you haven’t signed up yet, please do so. You have a wealth of information at your fingertips and can also tap into the knowledge of your peers. Other methods include, HaveIBeenPwned, SpyCloud and other Dark web searches provided as part of password managers.
Creating strong, unique passwords and maintaining good password hygiene is essential in today’s digital world to keep your personal and professional information secure from cyber threats.
Always have the Cyber Essentials password-based authentication methods at the forefront of your mind. These include the following:
- Using multi-factor authentication (see below)
- A minimum password length of at least 12 characters, with no maximum length restrictions
- A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list.
Finally, enable Multi-Factor Authentication (MFA). Use MFA alongside strong passwords for an additional layer of security.
Multi-Factor Authentication (MFA
Multi-Factor Authentication (MFA) is a security process that requires users to provide two or more forms of verification to access an account, application, or system. By combining multiple authentication factors, MFA significantly increases security, making it much harder for unauthorised users to gain access, even if they have stolen a password. Microsoft adds that implementation of MFA can prevent 99.9% of attacks on your accounts.
MFA typically involves at least two of the following three types of factors:
- Something You Know: This is usually a password, PIN, or answer to a security question. It’s the most common type of authentication factor but also the most vulnerable to attacks like phishing or social engineering.
- Something You Have: This could be a physical object, such as a smartphone, a hardware token, or a smart card. When you log in, a one-time code might be sent to your device, or you may need to insert a USB security key.
- Something You Are: This refers to biometric data, such as a fingerprint, facial recognition, or iris scan. These are unique to the individual and offer a high level of security.
Why Use MFA?
MFA provides enhanced security, even if one factor (like a password) is compromised, the attacker would still need to bypass the other factors to gain access.
MFA can provide protection against common threats, such as phishing, keylogging, and brute-force attacks.
Keep MFA in mind for Cyber Essentials (CE). Many organisations and industries are required by law, policy or with education and research, contracts, and funding to implement MFA to protect sensitive data through initiatives such as CE. CE allows for multiple compliant methods to adopt MFA for your cloud services. Please see the advice from the NCSC on this. Also note that out of the 5 options provided, only the first 4 options are CE compliant.
In addition, if a cloud service does not provide MFA and it is possible, using Entra ID application proxy is an option to utilise your Microsoft 365 credentials and MFA, effectively providing a “Single Sign On” to your application .
All administrator and user (staff and students) accounts should have MFA applied, no exceptions.
By combining multiple forms of verification, MFA creates a layered defence that makes it much harder for attackers to compromise accounts or systems.
Similar to the previous table that showed how long it takes a hacker to brute-force your credentials, take a look at how the numbers change in this updated table :
And keep updated by joining the Jisc cyber community group. With more than 2,200 members, it’s a forum for sharing knowledge, best practice and threat intelligence for the benefit of the whole education and research sector.
Explore the latest cyber security technologies, innovations and future insights from both a national and international perspective at Jisc’s Security Conference 2024, 26-27 November, ICC Wales, and 28 November online.