How To Create A Hack-Proof Password Dictionary

Password blacklisting, also known as dictionary checking, is a very important security measure to have in place for passwords. Dictionary checking prevents the use of common passwords like Password, Welcome, and Baseball. We all know these passwords and insecure and ineffective to secure a computer. Therefore, why are we allowing these passwords on our network?

With the nFront Password Filter, two million words can be scanned against an end user’s password in less than a second to ensure that their password does not contain a word in the dictionary file. Our dictionary file includes 27,000 words. However, this is 100% customizable to the company. The dictionary check feature looks for a case-insensitive exact match (instead of a substring match) between the proposed new password and each entry in the dictionary. The question is, what do I need to include in my dictionary file to be excluded from end-user passwords?

We receive the common question on a weekly basis: “If I want to have dictionary checking and also allow users to create passphrases, will they be allowed to have the passwords likeI hate stupid passwords? The answer is yes! You can require dictionary checking to be disabled if a password is greater than a specific character limit. I would recommend 15 characters since Rainbow Tables typically do not crack passwords that are 15 characters or more (read why here).

We understand, 27,000 words can be overwhelming to end-users and you might be afraid of the end-user push back due to the new password policy. That is why I want to help you create a custom dictionary file that suits your company’s needs, while still keeping your network secure. Please keep in mind that your dictionary file is only as strong as you make it. If you do not include words like Password, then your users will still be able to use it.

Here is what I suggest to customers when they are creating a custom password dictionary after they purchase the nFront Password Filter:

  • Include lists from recent breaches. Many times, passwords lists are released to the media. Use this to your advantage!
  • Include the Top 100 worst passwords. A new list is released at least once a year.
  • Vehicle Manufacturers and models (Ford, Toyota, Explorer, Prius, etc.)
  • Celebrity names (Donald Trump, Kardashian, Beyonce, etc.)
  • Animal Names (dog, cat, rabbit, monkey, etc.)
  • If you are inside the United States, I would suggest the following:
    • All of the states in the US
    • All of the cities in the US
    • All major sports teams
  • If you are outside of the United Sates, I would suggest the following:
    • All of the countries on your continent
    • All of the cities on your continent
    • All major sports teams
  • Include the Top 100 list of most popular names. This will be specific to where your company resides. For example, Samantha is a common name is the US, while Aarav is a common name in India.
  • Include everything about your company – the name, specific industry terms, location, words in the slogan, etc.

I hope this will help guide you in creating a hack-proof dictionary file!

The Secret Is Out… Here’s My Password

Have you ever wondered what the passwords are like for employees at an IT Security Company? Well, look no further! I am letting you know my password and how I created it. Of course, I did change it once I posted this infographic! Password Security should be one of your top priorities this year to ensure that your employees are no longer selecting bad passwords.

new-piktochart_172_07e4c345cf2dece3cacc0f13970c8bd103176317

Passwords For Dummies

Are you struggling at work to create a password that won’t get you in trouble for being “too easy” or “too weak? Or are you struggling to educate your employees on how to make a secure password so your company doesn’t get hacked? Either way… let this infographic be your inspiration for the making of a secure password. Each step of this password guide is based on facts.

 

new-piktochart_15771265_6b8774c876aee2c9f4ef58570ee9ea9135a45af8

23% Of All Data Breaches Occur In The Healthcare Industry

When it comes to records, what are some of the most personal and sensitive records associated with your name that could be detrimental if they were exposed in a data breach? You may be thinking your IRS record, which includes your filing history, or you may be thinking of your checking and savings account information at your financial institution that you bank with. However, I personally think that the most sensitive data that is associated with your name are your medical records. Your medical records includes not just your medical conditions, allergies, and past surgeries, but it includes your social security number, date of birth, insurance information, and so much more. All of that combined can equal identity theft when your medical records are sold on the black market.

Social_security_card

A recent study conducted by the Brookings Institution shows that 23% of all data breaches occur in healthcare. Furthermore, 155 million Americans have been affected by 1,500 data breaches in the past 6 years. In this past year, the number of victims has tripled.

The average cost for each record breached in all industries has an average of $158 per record, according to IBM. However, the average cost for breached records in the healthcare industry is $363 – this is the highest out of all industries!

The leader of the Brookings Institution study, Niam Yaraghi, interviewed 22 IT professionals in the healthcare industry. They discussed lessons that they have learned from the outcomes of this study. Yaraghi concluded that these are the following reasons why the healthcare industry is vulnerable to data breaches than other industries:

  • Health care data are richer and more valuable for hackers
  • Too many people have access to medical data
  • Medical data are stored in large volumes and for a long time
  • The health care industry embraced information technology too late and too fast
  • The health care industry did not have strong economic incentives to prevent privacy breaches

Furthermore, Yaraghi made the following policy recommendations so that healthcare industries are not as vulnerable to these detrimental breaches:

  • Health care organizations should prioritize patient privacy and use the available resources to protect it
  • The Office of Civil Rights (OCR) should better communicate the details of its audits
  • Health care organizations should better communicate with each other
  • OCR should establish a universal HIPAA certification system
  • The health care sector should embrace cyber insurance

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. It consists of Title I and Title II. Title I describes health care access, portability, and renewability. Title II describes the measures for administration to protect from fraud and abuse. It seems that with the rise in data breaches for the healthcare industry, Title II is where IT professionals need to spend most of their time to revamp their network security. To learn more about the existing HIPPA regulations regarding technical safeguards, click here.

8-22-2016 11-47-43 AM

Although the Technical Safeguards section does not explicitly state what actions need to be taken to ensure a secure network, it provides these guidelines for the audit:

  • Access Control
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security

It is the job of the IT Administrator, or a person in a similar position, to interpret these guidelines and create a secure network environment for the employees and patients who have records on their network. “Person or Entity Authentication” refers to the username and password that an employee enters when accessing the company network. Employee usernames are often in a specific format such as Mark Simpson = MSimpson as a username. However, passwords must be complex and secure so that hackers are not able to breach their network. A recent study shows that in data breaches, 63% of all data breaches were caused due to weak, default, or stolen passwords. That’s over half!

With the evidence provided in this post, this should be enough motivation for IT professionals, not just in the healthcare industry, but in all industries to increase their network security. Weak passwords are the #1 reason why healthcare organizations are being hacked. Are you in the healthcare industry and do you have a software in place to prevent weak passwords like Password1 and Summer2015? If you’re not on the list below, then that’s a NO! Windows Password Complexity allows both of these passwords.

Numerous healthcare organizations have already adopted the nFront Password Filter to prevent weak and easily hacked passwords on their network, it’s time for you to as well!

Here are a few of our customers that are in the healthcare industry who currently use our software:

8-22-2016 12-42-59 PM

Why the Windows Password Policy is Not Enough

First and foremost, I would like point out that a password policy is only as good as the settings that you select. For example, you could pay a company millions of dollars for the most secure password policy in the world, but if you do not enable settings that will make a password secure, the policy is pointless to use. Furthermore, if you are comfortable with your users having the following password requirements, then the default Windows Password Policy is for you:

  • Minimum of six characters long
  • Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numeric, and special characters
  • Does not contain the user’s name

With the previous password policy, these passwords would be allowed:

  • Password123
  • NYMets1
  • MyWifesName1
  • Abc123
  • Januarypw1

Do any of these seem like secure passwords? No. But they are being allowed using the Windows Password Policy. The basic password policy in Windows is from the first release of Windows NT in 1993 and in Windows 2000 they added a “password complexity” rule. I think we can all agree that this does not sound like an up to date password policy.

According to the 2015 Trustwave Global Security Report, 77% of passwords hacked were in compliance with Window’s Active Directory password policy. This should be enough of a reason for you to enforce a more secure password policy for your company. Here are the minimum recommendations that we suggest:

  • Minimum of 15 characters long
  • Require all 4 character sets
  • Requiring a password change every 90 days
  • Enforce a password history of the past 12
  • Enforce a minimum password age of 1 week
  • Enforcing a dictionary check for each password

Here are some insights on why I suggested the above bullet points:

  • Passwords that are 15 characters or greater are the most secure to use because of how the passwords are stored on a network. Read how they are stored here.
  • When you require all 4 character sets, you are preventing a user from selecting an easy password since they are having to use upper and lowercase letters, numbers, and special characters. Requiring all 4 also increases the password’s entropy. If you are not familiar with entropy, read more here.
  • Although there are many articles recently mentioning that users should only change their password once a year, we do not agree. Updating your password ensures that a hacker will never have enough time to crack your complex password.
  • Enforcing a password history of 12 and a minimum password age of 1 week work hand in hand with each other. Remembering the last 12 passwords helps to ensure a user will not select the same exact password. Enforcing a minimum password age of 1 week helps to ensure that a user will not sit at their computer and in 5 minutes have cycled through 12 password changes to keep their initial password.
  • Enforcing a dictionary check for each password will prevent easy words like password, summer, and other common words from being used as a password. It is also a good idea to customize the dictionary checking to include your company’s name, industry-specific terms, and local sports teams.

Microsoft Password Complexity does not allow a company to go to the extent of our recommended password settings. Our recommendations are here to help guide you towards a more secure policy that will decrease your risk of being the victim of a data breach. All of these recommendations that I suggested can be fully executed with the use of the nFront Password Filter software.

7

10 Interesting Facts About Hackings

The hacking industry is one of the most profitable industries in the world. Each week we are receiving news of new hackings, or how last week’s hack is more devastating than previously reported. Business Insider reports that some hackers make more than $80,000 a month! We are in the year 2016 and it is time for society to start making smarter choices with their security practices!

Here are a few quick tips for individuals:

  • Don’t share your passwords to any account that you have. In most cases, you are using that password across multiple websites and an acquaintance could access other websites that you would not want him/her to access.
  • Don’t use easy passwords for any of your banking, social media, email, insurance, or any other personal accounts that you have. Easy passwords are very simple for a hacker to crack.
  • Use platforms like “Have I been pwnded” to see if your accounts have been hacked.

Here are a few quick tips for companies:

  • Educate employees on email phishing, social engineering, and security best practices.
  • Create a password policy that does not have to be manually enforced. Use a tool, like a password filter, that will enforce employees to create strong passwords that will not make the company fall victim to a data breach.
  • Have penetration tests regularly conducted to ensure that there are no vulnerabilities in your network.

10-interesting-facts-about-hackings