Mitnick Security Blog - Cybersecurity News and Articles

8 Password Security Tips from Kevin Mitnick for Better Login Protection

Written by Mitnick Security | Jul 7, 2020 4:59:00 PM

When is the last time you truly considered your password strength and security? While password cracks don’t make the news quite as often as other breaches, they can compromise your systems all-the-same.

In fact, password hacks happen more often than you’d think— and are much easier than the movies make them out to be, often done with the use of commonly acquired software that anyone can affordably purchase. 

Here are eight password security tips from the world’s most famous hacker, Kevin Mitnick and his Global Ghost Team:

1. Learn how password hacks occur. 

Your users are often your company’s weakest link— and teaching your team how to avoid password-stealing ploys can drastically help to improve your defenses.

Hackers can obtain your credentials through a number of means, but commonly through a practice called keylogging. Through a social engineering attack, your employees could accidentally download software that records their keystrokes, saving usernames and passwords as they enter them. This is a common hacking technique. Keystroke capturing and other forms of spyware are just one threat. The other is password cracking programs. These run letter and character combinations to guess passwords in seconds.

To help keep users secure, Security Awareness Training courses use live video demonstrations to educate employees on social engineering red flags. These online courses use tangible examples, even walking your team through graded exercises to assess their alertness, and are often a worthwhile investment of your team’s time.

2. Watch out for phishing scams.

Since malware is often spread by clicking an infected link, be on the lookout for suspicious emails. Infected hyperlinks can inject malicious software onto your device, allowing the bad actor to capture your information. Or, the link could send you to a phony webpage that looks like a login you know and trust, but secretly captures your credentials as you type— an attack known as credential harvesting.

3. Stop reusing passwords.

This rule seems pretty straightforward. When you share the same password across different platforms, a hacker has a golden key that unlocks multiple doors. Once they get that master password, they’re “in” everywhere. 

This is also true for slight variations of the same password. Once determined, it’s easy for a bad actor to guess permutations and patterns of the same credential. Instead of varying your passwords with one letter or number, keep them all notably different. 

4. Follow strong password best practices.

Not only should you and your team stop reusing passwords, also be mindful of password strength. 

In the embedded video above, Kevin Mitnick advises that a strong password policy configuration adhere to the following properties:

  • Passphrase usage instead of a “standard” password*
  • Contains upper and lowercase letters 
  • Contains numbers and symbols 
  • Contains spaces

 

A passphrase utilizes multiple words often structured as a sentence. For example, “I went to the beach to ride a huge wave.” Kevin recommends using a passphrase of at least 30 characters instead of what we normally think of as a traditional password.

 

Following these recommendations, you may choose to take the passphrase, “be the change that you wish to see in the world” and enhance it to read, “Be The Change That Y0u W!sh To See !n The W0rld.” This replaces “i” characters with an exclamation point and “o” characters with zero and is significantly more complex than using the phrase in exclusively lowercase letters.

Here are a few additional technical controls from Kevin:

  • Change the password policy and complexity to force users to choose a pass-sentence (not a password) of at least 30 characters without requiring numbers, special characters, or mixed case.
  • Ensure that all highly sensitive accounts utilize randomized passwords and are stored securely in a password manager solution.
  • Use a password manager, like 1Password, LastPass, or KeePass.

5. Enact organization-wide password protection.

Perhaps the smartest investment you can make for better security is purchasing a password manager. This software can safely store usernames and passwords. All your employee needs is one strong master login to access this vault of credentials, and the system could integrate with your browser to autofill credentials online. 

It’s important to note that even these password management systems aren’t safe if a hacker captures your keystrokes and gets your master password for logging into the manager. This is why we advise our next password security tip...

6. Use encryption and multi-factor authentication.

By encrypting your passwords, you’re helping to ensure bad actors can’t steal your credentials. You can do this by hashing your passwords, which converts them into unreadable strings of characters that are specifically designed to be impossible to convert back to their original form. That’s because hashes are not intended to be decrypted.

Multi-factor authentication helps to ensure that even if a cybercriminal gets your login, they have to reconfirm using a second method. For instance, once the credentials are entered, multi-factor authentication may require the user to then enter a code message to the authorized user’s device. This second layer of defense provides an additional layer of security.

7. Improve your offboarding process.

Cyber threats don’t always happen from the outside. Your employees handle a lot of sensitive data, and oftentimes have access to dozens of applications and platforms housing a wealth of information.

If a disgruntled employee leaves on bad terms and isn’t offboarded properly, they could leak or steal private info, resulting in costly breaches or damaging reputational repercussions. Even amicable departures can lead to breaches if tempting information is only a few clicks away. 

8. Watch out on public Wifi.

Bad actors can hack into open public WiFi networks or spoof one of their own. This enables them to capture your keystrokes or access valuable data on your device.

To learn more about WiFi dangers, check out our cyber privacy blog.

Beyond Password Protection

While password protection is important, it’s just one part of a larger holistic cyber security initiative. Test how easily your passwords can be hacked by hiring a professional security tester. Choose the best in the pentesting business to crack your toughest forces: Kevin Mitnick and his Global Ghost Team. Explore our penetration testing services.