Think passwords will soon be dead? Think again. Passwords are cumbersome and hard to remember — and just when you do remember them, you’re ordered to change them again. And guess what? The new password you do come up with is easily guessed and hackable.
Nobody likes passwords, but for now, they are not going anywhere. And while some have tried to replace passwords with biometric data, such as fingerprints and face-scanning technology, these are not perfect, so many resort back to the trusty (but frustrating) old password.
Rarely do I attend a conference where I don’t hear someone sharing their supposed “good” password policy advice. You know what I am talking about, the password policy dictates:
- A minimum length of 8 to 12 characters long, with long passphrases being even better
- Password complexity that means it contains at least three different character sets (e.g., uppercase characters, lowercase characters, numbers, or symbols)
- Password rotation – Passwords must be changed every 90 days or less
- Use of account lockouts for bad passwords, with a limit of 5 or fewer bad attempts
This advice continues to be repeated by some of the foremost experts.
But this advice is at best, incomplete, and at worst, completely WRONG! Why? Because it is outdated, incomplete cybersecurity advice that was never actually good in the first place.
Don’t believe me? Well, the data supports my position. Users and companies that follow the obsolete password security advice are likely increasing their computer security risk, not decreasing it. They are focusing more on compliance with outdated regulatory requirements than they do on password security principles that actually work.
In 2018, Verizon reported via its annual Data Breach Investigations Report (DBIR) that 81% of hacking-related data breaches involved either stolen or weak passwords. Businesses must accept that a strong password policy is the best line of defense against unauthorized access to their critical infrastructure, at least for now. So, in this blog, I’m going to discuss some of the password policies and best practices that every organization should consider implementing.
First, I want to provide you with some statistics from the 2019 State of Password and Authentication Security Behaviors Report, which compiled results from a survey of 1,761 IT and IT security practitioners:
- 69% share passwords with colleagues to access accounts
- 51% reuse passwords across their business and personal accounts
- 57% who have experienced a phishing attack have not changed their password behaviors
- 67% do not use any form of two-factor authentication in their personal life, and 55% do not use it at work
- 57% expressed a preference for a login method that does not involve the use of passwords
The main risk with these above practices is password theft, in which the associated identity is stolen. Here are some common techniques for cracking passwords include:
- Dictionary attacks: Dictionary attacks rely on software that automatically plugs common words into password fields.
- Cracking security questions: Many people use the names of spouses, kids, other relatives, or pets in security questions or as passwords themselves. These types of answers can be deduced with a little research, and can often be found on your social media profile.
- Guessing simple passwords: The most popular password is 123456. The next most popular password was 12345. Other common choices are 111111, princess, qwerty, and abc123.
- Reuse of passwords across multiple sites: When one data breach compromises passwords, that same login information can often be used to hack into users’ other accounts. Reusing passwords for email, banking, and social media accounts can lead to identity theft.
- Social engineering: Social engineering is the act of manipulating others into performing certain actions or divulging confidential information It can be employed to trick targets into disclosing passwords.
It only takes one breach at the right company for millions of user names and passwords to become compromised.
Most users understand the nature of security risks related to easy-to-guess passwords. Password policies are a set of rules created to increase password security by encouraging users to create strong, secure passwords, and then store and utilize them properly. Let’s now take a closer look at the modern password security policies and best practices that every organization should implement.
Top 15 Principles of Password Management
1. Create A Strong, Long Passphrase
Strong passwords make it significantly more difficult for hackers to crack and break into systems. Strong passwords are considered over eight characters in length and made up of both upper and lowercase letters, numbers, and symbols.
The US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember and difficult to crack. According to Special Publication 800-63, Digital Identity Guidelines, a best practice is to generate passwords of up to 64 characters, including spaces.
2. Apply Password Encryption
Encryption provides additional protection for passwords, even if they are stolen by cybercriminals. The best practice is to consider end-to-end encryption that is non-reversible. In this way, you can protect passwords in transit over the network.
3. Implement Two-Factor Authentication
Two-factor authentication has fast become a standard for managing access to organizational resources. In addition to traditional credentials like username and password, users have to confirm their identity with a one-time code sent to their mobile device or using a personalized USB token. The idea is that with two-factor (or multi-factor) authentication, guessing or cracking the password alone is not enough for an attacker to gain access.
4. Add Advanced Authentication Methods
Apply non-password based, advanced methods. For instance, as part of multi-factor authentication, users can leverage biometric verification—like logging in to an iPhone using a thumbprint with Touch ID or authenticating on a Windows 10 PC just by looking at it with Windows Hello facial recognition. This method allows the system to identify employees by recognizing their faces, fingerprints, voices, irises, or heartbeats
5. Test Your Password
Make sure your password is strong by testing it with an online testing tool. Microsoft’s Safety & Security Center has a password testing tool that can help you generate passwords that are less likely to be hacked.
6. Don’t Use Dictionary Words
Sophisticated hackers have programs that search through tens of thousands of dictionary words. Avoid dictionary words to help prevent your business from being a victim of a dictionary attack program.,
7. Use Different Passwords for Every Account: Otherwise, if one account is breached, other accounts with the same credentials can easily by compromised
8. Secure Your Mobile Phone
Mobile phones are now commonly used to conduct business, shop, and more, but bring with them many security concerns. Protect your phone and other mobile devices from hackers by securing your phone with a strong password, fingerprint, or facial recognition passwords.
9. Avoid Periodic Changes of Personal Passwords
A widespread password security practice over the years has been to force users to change passwords periodically—every 90 days, or 180 days, etc. However, more recent guidance from NIST advises not to use a mandatory policy of password changes for personal passwords (note that this updated guidance does not apply to privileged credentials) One reason is that users tend to just repeat passwords they had used before. You can implement strategies to prevent password re-use, but users will still find creative ways around it. The other consequence of frequent password changes is that users are more likely to write the passwords down to keep track of them. Thus, a best practice from NIST is to ask employees for password change only in case of potential threat or compromise.
10. Change Passwords When an Employer Leaves Your Business
Sadly, it is not uncommon for former, disgruntled employees to become your business’s worse enemy. Make it a common practice to change passwords when an employee leaves so that former employees cannot hack into your business accounts and wreak havoc.
11. Protect Accounts of Privileged Users: Passwords for privileged user accounts require special protections, such as via privileged access management software. Unlike personal passwords, privileged credentials should still be regularly changed, even after every use for highly sensitive credentials). Also, these credentials should be injected and never directly visible or known to the end-user, for a further measure of security.
12. Keep Your Business Offline
Don’t put vital company security information on the public internet. Doing so will make it easy for hackers to steal. Also, remove any permissions of applications when you have finished with them.
13. Avoid Storing Passwords
Avoid storing passwords either digitally or on paper, as this information can be stolen by those with malicious motives.
14. Be Vigilant About Safety
No matter how strong your passwords are and how meticulous you are about security, passwords won’t be safe if a hacker’s spy program is monitoring what you enter on your keyboard. Make is as difficult as possible for cybercriminals to get your credentials by using up-to-date anti-malware and vulnerability management solutions, which enable you to harden your systems to prevent and mitigate weaknesses that might allowing intruders to enter and/or move around your environment.
15. Use Password Managers
By leveraging a password manager, you only need to remember one password, as the password manager stores and even creates passwords for your different accounts, automatically signing you in when you log on.
View a password manager as a book of your passwords, locked by a master key that only you know. Some of you think that sounds bad because, if someone acquires the master password, they have ALL your passwords. But if you’ve chosen a strong and unique, but easy-to-remember master password—you’ve established a near-perfect way to protect the rest of your personal passwords from improper access.
Password managers not only store your passwords, they help you generate and save strong, unique passwords when you sign up to new websites. That means whenever you go to a website or app, you can pull up your password manager, copy your password, paste it into the login box, and you’re in. Often, password managers come with browser extensions that automatically fill in your password for you.
And because many of the password managers in use have encrypted sync across devices, you can take your passwords with you anywhere — even on your phone.
Password managers are designed to provide you with access to all of your passwords in an encrypted format that is not accessible to hackers or malicious software. They can offer significant convenience while providing outstanding protection and ensuring that your information stays private.
Generally, there are two primary types of password managers:
- Personal Password Managers: Which manage passwords for individual users/employees for access to various applications and services.
- Privileged Password Managers: These specialized enterprise solutions secure and manage privileged credentials from a centralized, enterprise-wide password safe. Privileged credentials are the organization’s most sensitive secrets, providing privileged access for user accounts, applications, and systems. These are generally paired with privileged session management and are a core component of an enterprise privilege management platform.
Final Thoughts on Improving Password Security
As I’ve explained, passwords have changed only slightly over time, but password management is evolving considerably. Password managers represent one of the safest solutions to safeguarding your authentication information.
Stolen or weak passwords are still the most common reason for data breaches, so organizations should carefully examine password security policies and password management. With the best practices I have provided in this blog, you can create an effective password security policy and provide stronger protection against unauthorized access.
Privileged Password Management Explained (white paper)
Password Safe Overview (data sheet
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.