Deep Dive on Password Best Practices

On Tuesday, I attended a wonderful talk by Roger Grimes. The title of the webinar was A Master Class on Cybersecurity: Password Best Practices. Roger is very knowledgeable and a great resource for this information, but he talks fast. I really enjoyed the webinar, but it was an hour long and Roger fit a lot in that hour. For those that watch the above free webinar provided by BightTalk and (ISC)2. I thought I would provide some helpful links and videos to follow along in the webinar. First be sure to download the slides from Roger’s talk via BrightTalk.

Roger shows several Kevin Mitnick hacks during the webinar. Here is the No Link or Attachments Necessary hack link, unfortunately its not on youtube, so no embedding. Kevin is the “Chief Hacking Officer” at KnowBe4, the same company that Roger Grimes works at.

After the talk I also looked up my email address on haveibeenpwned.com. No surprises here. My email was in several breaches.

If they have your username they have half the puzzle (assuming you are not using any kind of 2 factor authentication, 2FA, which most are not). Now all they have to do is guess your password. If your password is on this list, Top 200 most common passwords, your screwed, this is exactly the kind of list that hackers will use first.

How do you make a more secure password then. I’ll let Kevin touch on this:

How Easy It Is to Crack Your Password

It is really even easier than that! If you ask chances are people will freely give you their password:

What’s Your Password?

Okay, so let’s assume you are smarter than these folks and you can keep from freely telling people. But can you? You may be doing it, indirectly. According to a research paper from Google, 20% of recovery questions, those you answer when you use the Forgot Password link on every website, can be guessed by a hacker. But while the hacker can do it, 40% of users can’t remember their own according to the paper! When all else fails just review your social media, as 16% of answers can be found there!

My suggestion use a password manager. Then you say, what about LastPass. You have a point, but how often are password managers breached? Not as often as the other 100 sites you use a password to get into. Password managers are still a good choice. In addition to your password manager, why not try some 2FA hardware?

You Should Be Using Yubikeys!

Be safe out there folks!