This blog has been updated with new data and insights since it was originally published on August 2, 2019. Show
Think passwords will soon be dead? Think again. Passwords are cumbersome and hard to remember — and just when you do remember them, you’re ordered to change them again. And guess what? The new password you do come up with is easily guessed and hackable. Moreover,
with the explosion of non-human / machine accounts, such as service accounts, applications accounts, robotic processing automation (RPA), and more, the password problem is getting considerably more complex. Nobody likes passwords, but for now, they are not going anywhere. And while some have tried to replace passwords with biometric data, such as fingerprints and face-scanning technology, these are not perfect, so many resort back to the trusty (but frustrating) old password. Rarely do I attend a conference where I don’t hear someone sharing their supposed “good” password policy advice. You know what I am talking about, the password policy dictates:
This advice continues to be repeated by some of the foremost experts. But this advice is at best, incomplete, and at worst, completely WRONG! Why? Because it is outdated, incomplete cybersecurity advice that was never actually good in the first place. Don’t believe me? Years of data support my position. Users and companies that follow the obsolete password security advice are likely increasing their computer security risk, not decreasing it. They are focusing more on compliance with outdated regulatory requirements than they do on password security principles that actually work. According to the most recent Verizon Data Breach Investigations Report (DBIR), roughly 50% of data breaches involved stolen passwords. Businesses must accept that a strong password policy is the best line of defense against unauthorized access to their critical infrastructure, at least for now. So, in this blog, I’m going to discuss some of the password policies and best practices that every organization should consider implementing. First, let’s consider some recent data on password management behaviors gleaned from a variety of reputable sources:
The main risk with these above practices is password theft, in which the associated identity is stolen. Some common techniques for cracking passwords include:
It only takes one breach at the right company to compromise millions of user names and passwords. Most users understand the nature of security risks related to easy-to-guess passwords. Password policies are a set of rules created to increase password security by encouraging users to create strong, secure passwords, and then properly store and utilize them. Let’s now take a closer look at the modern password security policies and best practices that every organization should implement. Top 15 Principles of Password Management1. Create A Strong, Long Passphrase Strong passwords make it significantly more difficult for hackers to crack and break into systems. Strong passwords are considered over eight characters in length and comprised of both upper and lowercase letters, numbers, and symbols. The US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember and difficult to crack. According to Special Publication 800-63, Digital Identity Guidelines, a best practice is to generate passwords of up to 64 characters, including spaces. 2. Apply Password Encryption Encryption provides additional protection for passwords, even if they are stolen by cybercriminals. The best practice is to consider end-to-end encryption that is non-reversible. In this way, you can protect passwords in transit over the network. 3. Implement Two-Factor Authentication Two-factor authentication has become a standard for managing access to organizational resources. In addition to traditional credentials, like username and password, users have to confirm their identity with a one-time code sent to their mobile device or using a personalized USB token. The idea is that with two-factor (or multi-factor) authentication, guessing or cracking the password alone is not enough for an attacker to gain access. 4. Add Advanced Authentication Methods Apply non-password based, advanced methods. For instance, as part of multi-factor authentication, users can leverage biometric verification—like logging in to an iPhone using a thumbprint with Touch ID, or authenticating on a Windows 11 PC just by looking at it with Windows Hello facial recognition. This method allows the system to identify employees by recognizing their faces, fingerprints, voices, irises, or heartbeats 5. Test Your Password Make sure your password is strong by testing it with an online testing tool. Microsoft’s password strength testing tool that can help you generate passwords that are less likely to be hacked. 6. Don’t Use Dictionary Words Sophisticated hackers have programs that search through tens of thousands of dictionary words across lots of languages. Avoid dictionary words to help prevent your business from being a victim of a dictionary attack program., 7. Use Different Passwords for Every Account Otherwise, if one account is breached, other accounts with the same credentials can easily by compromised 8. Secure Your Mobile Phone Mobile phones are commonly used to conduct business, shop, and more, but bring with them many security concerns. Protect your phone and other mobile devices from hackers by securing your phone with a strong password, fingerprint, or facial recognition passwords. 9. Avoid Periodic Changes of Personal Passwords A widespread password security practice over years past has been to force users to periodically (every 90 days, or 180 days, etc.) change passwords. However, in more recent guidance, NIST advises not to use a mandatory policy of password changes for personal passwords (note that this updated guidance does not apply to privileged credentials). One reason for this newer policy is that users tend to just repeat passwords they had used before. You can implement strategies to prevent password re-use, but users will still find creative ways around it. The other consequence of frequent password changes is that users are more likely to write the passwords down to keep track of them. Thus, a best practice from NIST is to ask employees for password change only in case of potential threat or compromise. 10. Change Passwords When an Employee Leaves Your Business Sadly, it is not uncommon for former, disgruntled employees to become your business’s worst enemy. Make it a common practice to change passwords when an employee leaves so that former employees cannot hack into your business accounts and wreak havoc. 11. Protect Accounts of Privileged Users: Passwords for privileged user accounts require special protections, such as via privileged access management software. Unlike personal passwords, privileged credentials should still be regularly changed, even after every use for highly sensitive credentials). Also, these credentials should be injected and never directly visible or known to the end user, for a further measure of security. 12. Keep Your Business Offline Don’t put vital company security information on the public internet. Doing so will make it easy for hackers to steal. Also, remove any permissions of applications when you have finished with them. 13. Avoid Storing Passwords Avoid storing passwords either digitally or on paper, as this information can be stolen by those with malicious motives. 14. Be Vigilant About Safety No matter how strong your passwords are and how meticulous you are about security, passwords won’t be safe if a hacker’s spy program is monitoring what you enter on your keyboard. Make it as difficult as possible for cybercriminals to get your credentials by using up-to-date anti-malware and vulnerability management solutions, which enable you to harden your systems to prevent and mitigate weaknesses that might allow intruders to enter and/or move around your environment. 15. Use Password Managers By leveraging a password manager, you only need to remember one password, as the password manager stores and even creates passwords for your different accounts, automatically signing you in when you log on. View a password manager as a book of your passwords, locked by a master key that only you know. Some of you think that sounds bad because, if someone acquires the master password, they have ALL your passwords. But if you’ve chosen a strong and unique, but easy-to-remember master password—you’ve established a near-perfect way to protect the rest of your personal passwords from improper access. Password managers not only store your passwords, they also generate and save strong, unique passwords when you sign up to new websites. That means whenever you visit a website or app, you can pull up your password manager, copy your password, paste it into the login box, and you’re in. Often, password managers come with browser extensions that automatically fill in your password for you. And because many of the password managers have encrypted synchronization across devices, you can take your passwords with you anywhere — even on your phone. Password managers are designed to provide you with access to all your passwords in an encrypted format that is not accessible to hackers or malicious software. They can offer significant convenience, while providing outstanding protection and ensuring that your information stays private. Generally, there are two primary types of password managers:
Final Thoughts on Improving Password SecurityAs I’ve explained, passwords have changed only slightly over time, but password management is evolving considerably. Password managers represent one of the safest solutions to safeguarding your authentication information. Stolen or weak passwords are still the most common reason for data breaches, so organizations should carefully examine password security policies and password management. With the best practices I have provided in this blog, you can create an effective password security policy and provide stronger protection against unauthorized access. For in-depth understanding of the ways attackers try to hack passwords, and how to defend against such attacks, check out this blog. Address password security risk head-on. Identify risks related to privileged credentials and accounts, such as default or credentials, orphaned accounts, and more with the most powerful free tool of its kind. Get the BeyondTrust Privileged Account Discovery Application now—no download necessary. Related Reading on Password SecurityPrivileged Password Management Explained (white paper) Password Safe Overview (data sheet) Which one of the following principles is not a component of the Biba integrity model quizlet?Which one of the following principles is NOT a component of the Biba integrity model? Subjects cannot change objects that have a lower integrity level.
Which one of the following is an example of logical access control?Examples of logical controls are passwords, network firewalls, access control lists and data encryption.
Which one of the following is an example of twoSmart cards and biometrics is an example of two-factor authentication.
What is an XML based open standard for exchanging authentication and authorization information and is commonly used for Web applications quizlet?SAML is an open standard used for exchanging both authentication and authorization data. SAML is based on XML and was designed to support access control needs for distributed systems.
|