Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strong password for Business


  • Please log in to reply
14 replies to this topic

#1 awesomeoverload

awesomeoverload

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 07 March 2017 - 10:10 PM

Just one quick questions about a strong password for our business. I need some help about it.  Besides helping us to keep track of our logins, How do we reduce risk of data breach? 
 


BC AdBot (Login to Remove)

 


#2 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:04:56 PM

Posted 08 March 2017 - 10:46 AM

You might need to provide a bit more info to go on... but generally to help reduce the risk of breach you would want a firewall with a good firewall policy in place (an implicit deny followed by what you want to let in is usually a good start), endpoint protection (some kind of AV or next gen AV), web security gateway, data loss prevention application... the list can go on. Depends on what kind of budget you have and what makes the most sense to you.

 

The first part of your post is a bit confusing. Did you have a question about passwords and tracking logins? You mentioned them but never really explicitly asked anything about those.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#3 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:56 PM

Posted 08 March 2017 - 11:00 AM

When creating passwords, the longer the better -- according to some sources.  And, perhaps have the employees keep a notebook of their respective usernames and passwords in a locked desk drawer.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#4 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:04:56 PM

Posted 08 March 2017 - 12:14 PM

I wouldn't keep the passwords/usernames written down (even if they are in a locked drawer). I would suggest using a password manager, like "LastPass". If you aren't comfortable storing your passwords on the web you could always use an offline store, like keepass.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#5 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,999 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:56 PM

Posted 08 March 2017 - 08:56 PM

The general rule "the longer the better" is a good one but does, of course, have limits.

 

Recording passwords anywhere except a password manager that strongly encrypts the information is a bad idea.

 

The best technique I've ever heard of for creating passwords is the portmanteau phrase method.  tIt allows any individual to create long passwords that are easy for them to remember by building a password of elements specific to them personally as well as the application/website/location they're created for.

 

Let's say your childhood address was 1523 Elm St, favorite color is purple, your first phone number was 213-9485, and your favorite special character is an asterisk (8).

 

You can build a password 1523purple213-9485{site/app/location specific element}*, e.g.  1523purple213-9485amazon*

 

Mind you, one need not go this long (25 characters) since any element with the exception of the {site/app/location specific element} could be omitted, repositioned, etc.

 

It's amazing how fast it becomes to type these once the non-specific part becomes "automatic" and how easy it is to remember a password based on where it is used.

 

I've also seen people use a three-element portmanteau where one is a phrase with spaces omitted like: 1523looselipssinkshipsamazon

 

Easy to remember for the individual who creates them and almost impossible to guess for anyone else.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 PM

Posted 08 March 2017 - 09:36 PM

Password Resources
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 PM

Posted 11 March 2017 - 04:39 AM

Many data breaches are the result of vulnerabilities, like a web site vulnerable to SQL injection. In such cases, criminals don't need your password to steal data.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:56 PM

Posted 11 March 2017 - 08:18 PM

Many data breaches are the result of vulnerabilities, like a web site vulnerable to SQL injection. In such cases, criminals don't need your password to steal data.

However, criminals do need usernames and passwords to directly access individual computers, individual accounts, and so on.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#9 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:06:56 AM

Posted 12 March 2017 - 05:52 PM

 

Many data breaches are the result of vulnerabilities, like a web site vulnerable to SQL injection. In such cases, criminals don't need your password to steal data.

However, criminals do need usernames and passwords to directly access individual computers, individual accounts, and so on.

 

yeah and thats why you would use mimikatz to exploit tokens and then gain a privileged and or local admin account credentials!



#10 JohnAdam20

JohnAdam20

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 15 March 2017 - 01:27 AM

Even using tools to store website credentials is not a good idea. Users even use browsers to store their credentials but any one who has access to your computer can easily open the browser and check the password. It is better to keep memorize the password and in case we forget the password we can always reset it. 



#11 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:04:56 PM

Posted 15 March 2017 - 09:03 AM

@JohnAdam20

 

Yes, using a browser to store passwords is a horrible idea. Using a password manager (like Lastpass, Keepass, etc). however, is not. Something like Keepass you have to sign in to the database of stored passwords every time, and they are encrypted. Same goes with Lastpass, though you can choose to stay logged in. As long as you have a good strong master password you should be good. Of course changing that on regular intervals is probably a good idea.

 

It would be impossible to memorize secure passwords for every website someone has as log on for. For example, I have at least 30 passwords stored in my Lastpass between personal and work related ones. There is no way I would be able to remember them all without a password manager.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#12 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,999 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:56 PM

Posted 15 March 2017 - 09:44 AM

@DeimosChaos

 

You are indeed correct about actual password manager software being perfectly safe for storing passwords.  I've been using Password Safe and its Android port for years now and would go crazy without it.

 

Even though I've been transitioning to the portmanteau technique for my passwords over time on various websites, etc., I'll still sometimes forget the "site specific" part of the portmanteau, so having a password manager is essential.  I don't have to refer to it as much for myself as I do for my partner (who constantly forgets his passwords and if I didn't keep them for him I'd be driven insane by having to walk him through the reset process time and time again - some people are just hopeless when it comes to passwords, particularly if they generally set all sites that allow it to "keep me logged in" and they don't have to enter a password with any regularity).


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 PM

Posted 15 March 2017 - 12:58 PM

I've been using Password Safe for years too. At my age, I can't count on memory anymore.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 KeturahWeston

KeturahWeston

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 16 March 2017 - 05:59 PM

Passwords represent the greatest security risk to businesses today.  With Enterprise Password Management, your employees have on-demand access to encrypted passwords, websites and applications increasing their productivity while protected with best-in-class security.  Check out the software and compare the vendors to find out which suits you best.



#15 awesomeoverload

awesomeoverload
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 16 March 2017 - 08:25 PM

Thanks everyone for the help. As of the moment, I think I'm going to try password management software so we can keep track of our logins and avoid any breach and scammers. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users