Even this era of near-daily data breach headlines, the Collection 1 trove gives one pause. What is being called the largest public breach ever is apparently just the tip of a gargantuan, 4TB iceberg of unique emails and passwords, all available to hackers worldwide at a cost of just $45 for lifetime access.
Are your login credentials in there? You can check here, and don’t be surprised if the answer is yes. After all, the database may contain some 2.7 billion records. (See also: The Collection #1 Breach – Should You Worry?)
The Danger of Ignoring Password Hygiene Guidance
Users continue to ignore basic password hygiene guidance despite the obvious risk. It’s understandable… strong passwords can be hard to remember, leaving people locked out of accounts. Reusing familiar old passwords can be a hard habit to change.
But as with breaking any bad habit, it can be helpful to get some support—like, in this case, a password manager. But you know this already! The question is do your users actually use one.
With a password manager you can also easily use passphrases, such as memorable lines from your favorite novel; e.g., “The-Last-Camel-Collapsed-at-Noon.” Just be sure not to reuse passphrases, especially across sensitive services like financial apps.
If you’re cleaning house thanks to motivation after the Collection 1 Breach, the other basic authentication hygiene tip, of course, is to use two-factor authentication and/or encryption wherever possible. Both of these make it much harder to steal your credentials, even if a hacker somehow obtains your username/password combination.
If you’re responsible for supporting password hygiene within a user community, be sure to look at the latest guidelines from NIST on what constitutes good password practices, given the realities of human nature. Recent research shows, for example, that:
- Weak passwords – Due to the power of current password cracking tech, use of a mix of character types, like uppercase and lowercase letters, numbers, symbols, etc. isn’t as useful initially thought, while the impact on usability is major. (This is why P@$$w0rd! is predictable and thus a weak password.)
- Length – Users should be encouraged to make their passwords as long as they reasonably can.
- Randomness – If the length exceeds 8 characters, randomness is really what’s critical to avoid cracking.
To talk over a best-practice approach to user authentication that is right for your organization or application, contact Pivot Point Security.