Cyber Sec

4.3.23 > David La Belle

The internet was “officially” introduced to the public in 1993. Since then, the integration into society —along with the size, scope, and complexity of the systems — has been parabolic. And while the sophistication and abilities of the tools we use to protect our infrastructure have increased, the challenges we encounter when building and maintaining those systems are truly basic.

Let’s take passwords for example. To appease the user and provide an “easy” experience, many password policies require a minimum of an eight-character password, which I (and a smart fifth grader) could crack, regardless of how complex, in less than three hours with the right graphics card. And once I crack it, I could probably get into their other accounts, because as we know, many people re-use their password from site to site. You know who you are.

In contrast, it would take the same graphics card five months (~3600 hours) to crack an 18-character password with only numbers and no complexity. That’s nearly 120,000 percent longer – and all we need to do is add 10 characters. Seems like a sensible thing to do…

So, how does all this affect systems security? Well, we need to consider two sides. How are organizations building out their password functionality for users? How is the user managing their passwords?

Given that we are unable to provide input to all the systems we touch, let’s focus on what we as the user can do to decrease our risk.

Does your organization (or whatever site you are going to) allow you to use spaces and create passphrases? Yes? Do it. Passphrases allow you to create a longer authentication response, increasing the number of characters and turning your password into an easy to remember sentence, significantly increasing the security.

Do you have the option of Multi-Factor Authentication (MFA)? Yes? Do it. As it has become easier to crack passwords, it has become more common to use secondary forms of authentication. Implementations can vary, using the customer’s phone number or email to send a unique code or an authenticator system, but the result is similar.

Do you use a password manager? No? Start. Over the last decade, password managers have become a common way to store complex passwords without having to commit them to memory. Password managers allow you to increase the length, complexity, and uniqueness of passwords used for each account, permitting you to create account specific passwords so you (or someone you know, because you would never) don’t use the same one for multiple sites – further compromising your security.

Do you have a hardware security token? Yeah, me too, but make sure your friends know about them. Hardware security tokens have become more popular with the need to ensure the highest level of trust in the authentication process. They store credentials within the device, requiring it to be present during authentication process.

While the expectation is that systems should have requirements that match the level of security needed, the reality is many systems are not up to the task just yet – and we as users need to do our part to protect ourselves too.

Do you use a security token along with MFA and password manager? If so, you likely didn’t need to read this.

For the rest of you – think about how you are managing your authentication and help protect yourself.

 

David La Belle > Security Analyst, Charter Solutions

David La Belle began his technology career with the United States Marine Corps. During his service he was tasked with various rolls within the technology field for Department of Defense (DOD), aviation, and civilian systems. He was responsible for managing more than 1 million dollars in assets spread across several continents, serving two tours in Iraq.

You can connect with David at https://www.cybersecuritysummit.org/speakers/david-la-belle/ and on Linkedin at

https://www.linkedin.com/in/david-la-belle/