Cyber Awareness Month: Password best practice

October is Cyber Awareness Month, and the Australian Government has identified three critical basic areas for focus. These three simple steps can block or reduce 85 to 90 per cent of the impact of main attacks on small law firms* – a lot of protection for not a lot of effort.

Last week, we considered critical area one: Keeping software up to date. This week we look at user authentication – steps to ensure that passwords are strong and are stored and used appropriately. We will also look beyond passwords to other authentication technologies that may be safer.

Why is good password selection and use important?

While statistics vary widely, more than half of attacks on small business involve forced or stolen passwords.¹

Passwords can be forced if they are too short or simple, allowing software to try millions of combinations until the correct one is found.

Each year, Hive Systems estimates how long existing attack software would take to guess a random password, based on length and consistency. the current estimate for a 14-letter random string password containing numbers, upper and lower case letters and (preferably) some symbols should be safe for the next few years at least.

A non-random password can be cracked nearly instantly if it contains word elements (such as your favourite sports team, pets or children’s names) and number elements (birthdays, anniversaries) which can be researched easily using your social media or information purchased from a data broker².

Advertisement

Similarly, the use of a single word greatly reduces the challenge for the hacker, even if you throw in some numbers or symbols. A 14-character word can be forced in somewhere between .33 seconds and 8 minutes³ while a 14-character complex random string can hold out longer than the estimated death of the sun at 2025 technology levels.

A password can be “stolen” in a number of ways:

• A ‘phishing’ campaign can trick a user into supplying it.
• Malware installed on a device can record the password as it is entered.
• A website may store it without encrypting the password and the site is subsequently hacked.

There are currently billions of stolen username/password combinations for sale on the dark web. It is highly likely that at least some of yours are included. If you use the same or similar passwords over time or – even worse – for online shopping and work accounts alike, eventually one of those stolen passwords will be used to hack your accounts.

How do I ensure my passwords are secure?

If you are running a law firm, you need a password selection and use policy. (See the QLS template policy here).

The template explains the importance of good password practices and suggests how a strong password can be selected, especially for the most sensitive accounts.

If remembering 15-character random strings of letters, numbers and symbols is not your party trick, consider a password manager. This should be a standalone system, not the “would you like to save your password?” system in your web-browser.⁴

Advertisement

Respected password managers include Bitwarden, 1Password, Dashlane, Keeper, Nordpass, Lastpass, KeePass & Proton Pass.⁵

Passwords are being superseded but remain important.

Many businesses are moving away from passwords as the primary means of verifying user access, but passwords will remain a significant feature of our lives for some time yet.

Even if some other form of verification becomes the primary entry method, a password as backup is usually required.

Password alternatives include:

• Passkeys: Promoted by Apple, Google and Microsoft, this is a system that saves a digital key onto your trusted device, such as a mobile phone. The key can be used to unlock a matched account, usually triggered using a fingerprint, facial scan, or local device PIN, without transmitting your biometric information to multiple websites.
• Biometric logins: Fingerprint sensors, facial recognition or voice ID are also becoming standard on devices and secure platforms. They remove the need to remember complex strings while maintaining strong protection when implemented correctly.
• Single sign-on (SSO): For larger organisations, these systems are simplifying access by letting staff use one verified identity across multiple services. This reduces password fatigue and centralises control over user access.

1. QLS research paper: “Do Password Policies Reduce Data Loss”, 2023 ↩︎
2. In a recent case, a Spanish football enthusiast’s password (RealMadridRonaldo7) was revealed by data sold by a concession stand when he bought his son a souvenir shirt. ↩︎
3. Assumptions: Attack system: Hashcat Mode 1000 running offline on captured dataset on high quality GPU, word found on 1 million length word list. ↩︎
4. While the browser based password safes are not bad in themselves, companies such as google have a strong vested interest in making sure it is easy to transfer all accounts when you purchase a new device. ↩︎
5. By mentioning software QLS does not warrant that it is appropriate for your purposes or free from risk. Some of the systems mentioned have been compromised in the past, like many other software vendors. ↩︎

For additional cybersecurity resources and guidance, visit the QLS Cybersecurity page at qls.com.au/Practising-law-in-Qld/Resources/Cybersecurity

Advertisement