Time to Upgrade Password Security
At this point, everyone knows the basic rules for good passwords. They are ingrained into us early in our security careers. One of our engineers even has a poster of them in his baby’s nursery.
Minimum of 8 characters
At least one number
At least one capital letter
At least one special character
Perhaps, however, it is time for an upgrade. While these rules are so prevalent, they are incomplete and actually ineffective. For example, as security engineers, we look at these rules and generate the password /(b"Z%Py5)fF?RpU while general employees look at these rules and create the password Password1!. Clearly, there is a discrepancy in how these rules are applied.
These rules are the compliance standard, but they actually only represent the bare minimum for password security. Organizations that want to stay ahead of the game should be thinking about further measures to take to improve the quality and security of internal passwords.
Some popular options are:
Increase the minimum number of characters to 10 or 12.
Blacklist any passwords that have been disclosed in data breaches.
Blacklist a custom dictionary of passwords that are unique to your organization, such as the company name, CEO’s name, street address, etc.
Enforce two-factor authentication methods that add a secure code sent to a mobile or authenticator device, biometrics, or other methods to the authentication process.
Passwords are still the most prevalent form of authentication and are unlikely to truly disappear anytime soon. Thus, it is important to stay on top of password security to avoid becoming the latest victim in security news.
The Federal Government is continuing its fight against the rise of Ransomware, including offering financial rewards of up to $10 million for information about ransomware organizations sponsored by foreign governments.
Threat actors are actively exploiting unpatched Secure Mobile Access and Secure Remote Access products from SonicWall. SonicWall is recommending immediate action for affected customers.
Microsoft released patches for four zero-day vulnerabilities that were being actively exploited, including the “PrintNightmare” vulnerability that has been making headlines over the past two weeks. CISA is pushing federal agencies to apply the patch immediately, as exploits of this issue can lead to full system compromise.
Microsoft’s print problems continue as a new Windows Print Spooler service vulnerability has been identified. There is currently no available patch for this issue, which allows local privilege escalation and can be used to perform unauthorized actions on the system. For more information on this new issue, see Microsoft’s detailed description here.