In October 1993 I was sitting in a van in dusty Nmanga, Kenya. Nmanga was the only legal border crossing between Kenya and Tanzania. It is next to Amboseli National Park and just to the West of Mount Kilimanjaro. My guide instructed our group to wait in the van with the windows up and the doors locked. The temperature was in the high 80s. There was no air conditioning. But more importantly at this border crossing, there was effectively no law. It was literally a sea of humanity pressing against the van windows. Our guide, John, took our passports got out, and pushed his way through the crowd and into the Customs House. 30 minutes later he was back informing us that the Customs House had rejected his attempt to get us through the checkpoint.
Instead, they required that everyone get out and come in and individually present themselves to the customs agent. John negotiated that down to each head of the household could come in for their family to process them through.
Having the proper passports was not enough. The agent required another level of validation that we were legitimate.
It was probably one of the scariest things I ever did, but I got out of that van and pushed through the crowd and into the Customs House. The agent stamped my passports and back we went through the crowd to the van.
The same thing is now true with your user's passwords. What we thought was "good enough" is no longer enough. In most instances, our accepted basic standards are downright frightening.
For ages, we have been operating under the assumption that a good, strong password was a minimum of 8 characters, with upper and lower case, a number, and a symbol. This is now completely untrue.
There is something called Rainbow Tables. They are tables where the hashes of every combination of words and letters have been pre-calculated. This allows attackers to cut down the time to hack our passwords to minutes.
If you look at this table, you will see some very scary "time to hack" statistics. Hive Systems Password Table
The time to hack our traditional 8-character password with complexity is now 5 minutes!
The time to hack 10-character passwords with complexity is now 2 weeks.
The time to hack 12-character passwords with complexity is now 226 years.
If you are not requiring 12 to 18-character passwords, you are a sitting duck for password compromise.
If this is you, your password policies have to be changed immediately starting with your IDs that provide administrative access to your network and your users that touch personal information and money.
If you have implemented multi-factor authentication, then you have already gone a long way to shutting down this, attack vector, but you still need to strengthen your password length.
This is not optional.
If you need help resetting your granular password policies on your network or setting up MFA, give us a call.
-Scott Quimby, CISSP
P.S. The next CSI Cybersecurity Event is Wednesday, December 6th. Contact Lisa for details.