The year of the P@ssw0rds!

Peter Fortunato, Risk & Business Advisory Manager
June 2017

Among the many surprises noted in the Verizon’s Data Breach Investigations Report for 2017, we note that password compromises have now overtaken personal data breaches in the frequency of data compromise. Over 1 billion passwords were compromised in 2016, adding to the extensive list previously compromised and posted online. Yet many of us carry on as usual, keeping only simple usernames and passwords between the world and our sensitive data. With numerous accounts to remember on the many online applications we access each day for both work and at home, there is a high probability of reusing the same username/password combination on different websites, compounding the concentration risk if our password is compromised.

How ‘complex’ is this problem?

Most of us are familiar with the concept of ‘complex’ passwords which require at least eight characters and a combination of uppercase, lowercase, numbers, and symbols, and which must be changed at some defined interval. However, consider that the intent of this control can be quite easily defeated through a simple algorithm: use the season with a capital letter, the current year, and a punctuation symbol. (If a user is required to change a password every 90 days they could use “Winter2017!,” then “Spring2017!,” and so on to devise a complex password that is easily remembered). (NOTE: Don’t try this.) Unfortunately, it is very likely someone within your organization is using this password scheme right now and putting your information security at risk. Since operating systems are not yet sophisticated enough to check passwords for dictionary words, a commercial password testing solution is needed to identify users with easily derived passwords and address this vulnerability. This is of heightened importance when entities are relying on single-factor authentication to control remote access to email or VPN connections.

Password recommendation changes on the horizon

In a related occurrence, the National Institutes of Standards and Technology (NIST) has presented a draft update to its password recommendations. This revision to prior guidance recognizes that making password creation more difficult on end users does not always make password controls more difficult for the hacker. NIST is proposing that users not be forced to change passwords unless the password has likely been compromised; the guidance discourages the practice of password hints to prompt users to remember a previously-set password, and does away with the password composition rules (i.e. complex password requirements).

However, NIST counters with changes to help make passwords much harder to crack: using “memorized secrets” more akin to a sentence than a word which consists of at least 8 characters allows for much longer, sentence-like pass phrases, and disallowing the use of words found in the dictionary or common passwords. You can also expect the PINs for tablets and phones to increase from 4 to 6 random digits based on dramatic increases in PIN strength by adding two numbers. The new guidance would also prohibit use of password hints as these greatly weaken authentication protocols and can often be deduced or found through searching online.

What you should do

Fostering good security practices at work and home requires the separation of work and personal login credentials; specifically, never reusing passwords across the two domains. Encourage the use of multi-factor authentication for personal email and social media accounts to ensure that compromised credentials do not expose data to unauthorized users; the same recommendation holds true for remote access at work.

Reused usernames and passwords become a single point of failure should any part of your online presence become known to others. This is true for the one-time logins we create for webinars, but becomes more significant with our email and social media accounts. Online logins, such as for banking, are best if they do not use your email address (which is easily found online), and a different password should be use for each institution. Consider a separate email account dedicated for password resets, featuring a longer, more challenging password with multi-factor authentication.

Following the above guidance leads us back to the fundamental question of how to manage all these login accounts in the first place. Numerous password repository solutions exist, ranging from free to commercial-grade. Some are even included with some popular antivirus products. While there are risks to storing everything in one repository, these risks can be mitigated if properly secured with multi-factor authentication. For extra security, sensitive passwords in password repository may have missing or obscured components such that a mnemonic formula is required to complete the secret. Strategically employing such a tool serves to reduce the risk that an online compromise will affect every aspect of your Internet accessible data,  mitigating concentration risk, enabling users to avoid the reuse of passwords across numerous and perhaps tenuously secured websites.


Recuperating from the loss of a credit card is a mere inconvenience, but the damage from a credential compromise can be far worse. Breaches may go undetected for long periods of time, and damage from ex-filtrated information is neither easy to trace, nor can it be undone. When unauthorized individuals are trying to use the simplest means to access the information, the first line of defense is equally simple: shore up passwords. A combination of end user education, multi-factor authentication for externally accessible data, better password management, and longer password secrets all contribute to maintaining secure access to your organization’s online resources.

If you have any questions or would like to discuss this article further, please contact Peter Fortunato at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.