If you doubt the validity of this, just ask the folks over at the National Security Agency (NSA)… because this is exactly what happened to them back in 2013 and they are responsible for our national security.
HOW THE NSA GOT “SNOWDEN’ED”
In 2014, Wired magazine dubbed Edward Snowden “The Most Wanted Man in the World,” and if you’ve followed the news at any point in the last seven years (or perhaps saw the movie), you likely know of Snowden, the “notorious hacker” who used his skills to “steal NSA passwords” and was thereby able to infiltrate nearly their classified data network.
The sad truth is that descriptions of what Snowden did are often wildly inaccurate and misleading, if not just plain wrong. Was he a skilled hacker? Certainly. But he did not need to use his advanced hacking skills to accomplish his data breach (so as to not get sidetracked with all the details of Snowden’s NSA breach, here’s a link to more info if you want to learn about him).
First of all, it is important to note that Edward Snowden did not “steal passwords,” because he did not use any means of theft to obtain them. Of course, he must have gained them somehow because that’s how he got in. But how does one get an NSA agent’s password if not by stealing it? What ingenious tactic did Edward Snowden use to gain almost total access to one of the most classified data systems in the world?
He made a bunch of phone calls to NSA agents and asked for their passwords… that’s it. Seriously.
As impossible (and scary) as that seems, it is the absolute (and, again, scary) truth. Using the pretense that he was acting in his role as a System Admin and Data Analyst contractor for the NSA, Snowden called multiple NSA agents and simply told them he needed their login credentials… and at least twenty agents voluntarily provided him with those details. These were skilled intelligence/security professionals and trained government agents, and yet they gave up their keys to one of the most secure and sensitive archives of data in existence, over the telephone, without a second thought. As a result, the Snowden Breach now stands as a strong example of the potential damage that can result from an organization’s failure to implement and enforce (in writing) a password management policy.
THREE SIMPLE PRACTICES/POLICES FOR PASSWORD SECURITY
In truth, password security (and, in turn, network/data security) is not complicated. In fact, it is by leaps and bounds far less complicated than dealing with the aftermath of an unauthorized data breach. There are three simple practices that should be included in any organization’s password policies, and we will look at all three here.
1. Unique Password Creation
For some reason, a lot of people are just the worst at coming up with unique and strong passwords. This may seem a bit farfetched until you consider that, as of the end of 2018, “123456” was the most used password for the fifth year in a row. System admins and cybersecurity experts have been warning people for years that this is the worst possible password anyone could use, and yet so many people still insist on using it. What they may not realize, of course, is that any would be infiltrator attempting to guess a password always starts with “123456.” So please do not use it, and make sure your personnel are told not to use it. The second most used password? “Password,” which has held various spots among the top ten most popular passwords for many years. Third most used? “123456789.”
And people wonder why cybersecurity experts are so grumpy.
At the end of each year, many cybersecurity firms publish their lists of the 25 most popularly used passwords. One excellent practice is to locate and share one or more of these lists with your personnel at the start of each year, with instructions that any password listed is not to be used.
Another big issue with password creation is the use of names—children’s names, names of pets, celebrity names, city names, etc. In the SplashData list of the Top 100 Worst Passwords, at least 28 are names of people (both real and fictional) or pets or cities. The big problem with using names, especially familiar names, is due to the widespread use of social media. It is not all that difficult these days to find out the names of someone’s children or pets or favorite celebrities, because almost everyone posts about these sorts of things on Facebook, Twitter, etc. Therefore, please do not use names as passwords.
Now that we have covered what you should not do, let’s look at some things you should do. A lot of organizations focus a lot on setting up complicated “password rules/requirements” (forcing users to create passwords containing a number, symbol, different letter cases, etc.), and there is nothing wrong with that, necessarily, unless that is all they focus on. While these requirements can be helpful, they in no way guarantee users will create unique passwords. For Example, “P@55word” meets the standard of nearly all those requirements. However, it is still just a variation on “password” and should not be used.
So… What to do?
One method is to make up a “nonsense” word that only you would know (i.e. “cabobble”/C@b0bbl3), or to make up a question/riddle/joke and create a unique password that answers it (i.e. “What happens when a car meets another car?” aCr@$h/”a crash”). It should go without saying that it would not be a good idea to copy/use the examples that were just given.
For those who still feel they are unable to invent their own unique passwords (or just don’t want to), there are a number of free and useful random password generators available online that can provide anyone with a strong password that meets almost any criteria.
2. Strictly Prohibit Password Sharing
Even the strongest password, no matter how unique, becomes totally useless the moment it is shared with anyone (no matter who that person is). This is why it is so very important that any password policy clearly states that sharing of login credentials is strictly prohibited, and that doing so could result in disciplinary action and even termination of employment. That may appear rather extreme until you consider the following scenario:
A terminated employee becomes disgruntled and wishes to do damage to the organization. His login credentials were disable or deleted from the system. However, this person learned the login credentials of a coworker during his/her employment. That former coworker’s credentials are still valid, and because of this, the disgruntled employee can use them to fraudulently access the system and delete, manipulate, or corrupt as many files as he/she wishes.
It’s simple—DO NOT SHARE PASSWORDS.
3. Regularly Scheduled Password Changes
Generally, a password becomes increasingly less secure the longer it is in continued use. Just following the laws of probability, the longer a specific set of login credentials exists, the higher the likelihood it has already been discovered by someone else or compromised in some way. Therefore, at minimum, any secure network should require its users to change their passwords every six months. However, requiring a password change every ninety days is considered the most preferable frequency. It is also important to set restrictions that prevent users from reusing passwords too often. For example, a rule that prevents the past three previously used passwords to be repeated. Otherwise, many users will take the easy route and simply switch back and forth between only two or three familiar passwords.
There are some who debate that regular password changes are not as important as in days past, and instead claim that choosing a strong, unique, and/or randomly generated password and sticking with it has shown to be far more effective. However, there are others who claim that even the most secure password could become compromised and that changing passwords is the only way to be sure this rick is minimized. So perhaps it’s best to choose whatever strategy serves best for your environment.
Password security is any SaaS environment’s first line of defense against intrusion and/or a data breach. By following the simple guidelines explained in this blog, however, you can help to keep your organization’s data secure. A policy that ensures the creation of unique passwords, demands they not be shared, and requires regular updates, you can greatly reduce the odds of a costly and potentially catastrophic data breach.