This blog has been updated with new data and insights since it was originally published on August 2, 2019.
Think passwords will soon be dead? Think again. Passwords are cumbersome and hard to remember — and just when you do remember them, you’re ordered to change them again. And guess what? The new password you do come up with is easily guessed and hackable. Moreover, with the explosion of non-human / machine accounts, such as service accounts, applications accounts, robotic processing automation (RPA), and more, the password problem is getting considerably more complex.
Nobody likes passwords, but for now, they are not going anywhere. And while some have tried to replace passwords with biometric data, such as fingerprints and face-scanning technology, these are not perfect, so many resort back to the trusty (but frustrating) old password.
Rarely do I attend a conference where I don’t hear someone sharing their supposed “good” password policy advice. You know what I am talking about, the password policy dictates:
- A minimum length of 8 to 12 characters long, with long passphrases being even better
- Password complexity that means it contains at least three different character sets (e.g., uppercase characters, lowercase characters, numbers, or symbols)
- Password rotation – Passwords must be changed every 90 days or less
- Use of account lockouts for bad passwords, with a limit of 5 or fewer bad attempts
This advice continues to be repeated by some of the foremost experts.
But this advice is at best, incomplete, and at worst, completely WRONG! Why? Because it is outdated, incomplete cybersecurity advice that was never actually good in the first place.
Don’t believe me? Years of data support my position. Users and companies that follow the obsolete password security advice are likely increasing their computer security risk, not decreasing it. They are focusing more on compliance with outdated regulatory requirements than they do on password security principles that actually work.
According to the most recent Verizon Data Breach Investigations Report (DBIR), roughly 50% of data breaches involved stolen passwords. Businesses must accept that a strong password policy is the best line of defense against unauthorized access to their critical infrastructure, at least for now. So, in this blog, I’m going to discuss some of the password policies and best practices that every organization should consider implementing.
First, let’s consider some recent data on password management behaviors gleaned from a variety of reputable sources:
- 45% of users did not change their passwords after a breach occurred. (Source: LastPass study)
- Only 58% of employees say their organization has implemented MFA. Yet, even then, 32% say that MFA is optional for employees, 27% say it is optional for third-party workers, and 40% say it is optional for customers (Source: SecureAuth survey)
- 84% reuse passwords across multiple sites (Source: Bitwarden survey)
- Over 20% said they used the same password for their personal bank accounts as they did for work-related accounts (Source: BeyondIdentity Survey)
- Only 34% of users across the globe use a password manager, while only 25% of users across the globe (and 32% of Americans) are required to use a password manager at work. (Source: Bitwarden survey)
- 63% are likely to leave an online service for a competitor who makes it significantly easier to authenticate identity (Source: Ping Identity survey)
- 46% would prefer to use a service or site that offers an alternative to passwords. (Source: Ping Identity survey)
- 41.7% of employees admitted to having shared workplace passwords--and 37.4% of those employees have shared their work passwords with a family member, and 21% with a close friend! Yet, in the same survey, 42.5% of employees felt that sharing work passwords should be a fireable offense! (Source: BeyondIndentity survey)
The main risk with these above practices is password theft, in which the associated identity is stolen. Some common techniques for cracking passwords include:
- Dictionary attacks: Dictionary attacks rely on software that automatically plugs common words into password fields.
- Guessing simple passwords: The most popular password is 123456. The next most popular password was 12345. Other common choices are 111111, princess, qwerty, and abc123.
- Reuse of passwords across multiple sites: When one data breach compromises passwords, that same login information can often be used to hack into users’ other accounts. Reusing passwords for email, banking, and social media accounts can lead to identity theft.
- Cracking security questions: Many people use the names of spouses, kids, other relatives, or pets in security questions or as passwords themselves. These types of answers can be deduced with a little research, and can often be found on your social media profile. This practice is made even simpler by the fact that many sites implement the same security questions and users reuse their security-question answer pairs across sites.
- Social engineering: Social engineering (i.e. phishing, vishing, etc.) is the act of manipulating others into performing certain actions or divulging confidential information. It can be employed to trick targets into disclosing passwords.
It only takes one breach at the right company to compromise millions of user names and passwords.
Most users understand the nature of security risks related to easy-to-guess passwords. Password policies are a set of rules created to increase password security by encouraging users to create strong, secure passwords, and then properly store and utilize them.
Let’s now take a closer look at the modern password security policies and best practices that every organization should implement.
Top 15 Principles of Password Management
1. Create A Strong, Long Passphrase
Strong passwords make it significantly more difficult for hackers to crack and break into systems. Strong passwords are considered over eight characters in length and comprised of both upper and lowercase letters, numbers, and symbols.
The US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember and difficult to crack. According to Special Publication 800-63, Digital Identity Guidelines, a best practice is to generate passwords of up to 64 characters, including spaces.
2. Apply Password Encryption
Encryption provides additional protection for passwords, even if they are stolen by cybercriminals. The best practice is to consider end-to-end encryption that is non-reversible. In this way, you can protect passwords in transit over the network.
3. Implement Two-Factor Authentication
Two-factor authentication has become a standard for managing access to organizational resources. In addition to traditional credentials, like username and password, users have to confirm their identity with a one-time code sent to their mobile device or using a personalized USB token. The idea is that with two-factor (or multi-factor) authentication, guessing or cracking the password alone is not enough for an attacker to gain access.
4. Add Advanced Authentication Methods
Apply non-password based, advanced methods. For instance, as part of multi-factor authentication, users can leverage biometric verification—like logging in to an iPhone using a thumbprint with Touch ID, or authenticating on a Windows 11 PC just by looking at it with Windows Hello facial recognition. This method allows the system to identify employees by recognizing their faces, fingerprints, voices, irises, or heartbeats
5. Test Your Password
Make sure your password is strong by testing it with an online testing tool. Microsoft’s password strength testing tool that can help you generate passwords that are less likely to be hacked.
6. Don’t Use Dictionary Words
Sophisticated hackers have programs that search through tens of thousands of dictionary words across lots of languages. Avoid dictionary words to help prevent your business from being a victim of a dictionary attack program.,
7. Use Different Passwords for Every Account
Otherwise, if one account is breached, other accounts with the same credentials can easily by compromised
8. Secure Your Mobile Phone
Mobile phones are commonly used to conduct business, shop, and more, but bring with them many security concerns. Protect your phone and other mobile devices from hackers by securing your phone with a strong password, fingerprint, or facial recognition passwords.
9. Avoid Periodic Changes of Personal Passwords
A widespread password security practice over years past has been to force users to periodically (every 90 days, or 180 days, etc.) change passwords. However, in more recent guidance, NIST advises not to use a mandatory policy of password changes for personal passwords (note that this updated guidance does not apply to privileged credentials). One reason for this newer policy is that users tend to just repeat passwords they had used before. You can implement strategies to prevent password re-use, but users will still find creative ways around it. The other consequence of frequent password changes is that users are more likely to write the passwords down to keep track of them. Thus, a best practice from NIST is to ask employees for password change only in case of potential threat or compromise.
10. Change Passwords When an Employee Leaves Your Business
Sadly, it is not uncommon for former, disgruntled employees to become your business’s worst enemy. Make it a common practice to change passwords when an employee leaves so that former employees cannot hack into your business accounts and wreak havoc.
11. Protect Accounts of Privileged Users: Passwords for privileged user accounts require special protections, such as via privileged access management software. Unlike personal passwords, privileged credentials should still be regularly changed, even after every use for highly sensitive credentials). Also, these credentials should be injected and never directly visible or known to the end user, for a further measure of security.
12. Keep Your Business Offline
Don’t put vital company security information on the public internet. Doing so will make it easy for hackers to steal. Also, remove any permissions of applications when you have finished with them.
13. Avoid Storing Passwords
Avoid storing passwords either digitally or on paper, as this information can be stolen by those with malicious motives.
14. Be Vigilant About Safety
No matter how strong your passwords are and how meticulous you are about security, passwords won’t be safe if a hacker’s spy program is monitoring what you enter on your keyboard. Make it as difficult as possible for cybercriminals to get your credentials by using up-to-date anti-malware and vulnerability management solutions, which enable you to harden your systems to prevent and mitigate weaknesses that might allow intruders to enter and/or move around your environment.
15. Use Password Managers
By leveraging a password manager, you only need to remember one password, as the password manager stores and even creates passwords for your different accounts, automatically signing you in when you log on.
View a password manager as a book of your passwords, locked by a master key that only you know. Some of you think that sounds bad because, if someone acquires the master password, they have ALL your passwords. But if you’ve chosen a strong and unique, but easy-to-remember master password—you’ve established a near-perfect way to protect the rest of your personal passwords from improper access.
Password managers not only store your passwords, they also generate and save strong, unique passwords when you sign up to new websites. That means whenever you visit a website or app, you can pull up your password manager, copy your password, paste it into the login box, and you’re in. Often, password managers come with browser extensions that automatically fill in your password for you. And because many of the password managers have encrypted synchronization across devices, you can take your passwords with you anywhere — even on your phone.
Password managers are designed to provide you with access to all your passwords in an encrypted format that is not accessible to hackers or malicious software. They can offer significant convenience, while providing outstanding protection and ensuring that your information stays private.
Generally, there are two primary types of password managers:
- Personal Password Managers: Which manage passwords for individual users/employees for access to various applications and services.
- Privileged Password Managers: These specialized enterprise solutions secure and manage privileged credentials from a centralized, enterprise-wide password safe. Privileged credentials are the organization’s most sensitive secrets, providing privileged access for user accounts, applications, and systems. These are generally paired with privileged session management and are a core component of an enterprise privileged account management platform.
Final Thoughts on Improving Password Security
As I’ve explained, passwords have changed only slightly over time, but password management is evolving considerably. Password managers represent one of the safest solutions to safeguarding your authentication information.
Stolen or weak passwords are still the most common reason for data breaches, so organizations should carefully examine password security policies and password management. With the best practices I have provided in this blog, you can create an effective password security policy and provide stronger protection against unauthorized access.
Address password security risk head-on. Identify risks related to privileged credentials and accounts, such as default or credentials, orphaned accounts, and more with the most powerful free tool of its kind. Get the BeyondTrust Privileged Account Discovery Application now—no download necessary.
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.