Maximizing Password Security
Maximizing Password Security: A Guide for IT Professionals on World Password Day
With every new device, application and website that your users and employees have to log in to, they have to create a new password. It’s no wonder then that they find this overwhelming.
So, what do they do? They create a password that is easy to remember — something like “123456” or perhaps their birth date. Then, to keep it simple, they use the same password over and over again. On top of that, they opt for their browsers and devices to remember these passwords.
Unfortunately, what your users and employees do for their convenience makes your job that much more difficult. This is precisely the problem that Intel wanted to address when they introduced World Password Day in 2013.
With the threat of cybercrime increasing annually, they wanted to make users aware of the importance of creating secure passwords. To mark the occasion of World Password Day on May 4, 2023, we’re taking that initiative another step forward by bringing you this guide that explains how you can protect your users and network with stronger passwords. Let’s dive in.
The need for strong passwords
Passwords work on secrecy. You couldn’t verify the authenticity of a login attempt if passwords weren’t secret and everyone knew them. Unfortunately, since users reuse passwords for different sites and/or follow poor password management methods —writing them down somewhere or saving them in browsers, etc. — passwords get leaked or compromised daily. This poses a threat for your organization because one compromised password could potentially lead to many problems.
- Hackers could gain access to your network and work their way into other devices and accounts.
- They could launch ransomware and other malicious attacks.
- They could steal funds, digital identities, intellectual properties and other sensitive information.
- Your company could suffer reputational and financial damage due to customer dissatisfaction, downtime and the punitive measures imposed by governmental and regulatory bodies.
Roughly 63% of data breaches originate from a weak or stolen password, and according to IBM, the average cost of a data breach for an organization is about $4.35 million. One weak password could compromise your whole network and the future of your organization.
Creating a strong password
If a weak password can jeopardize your entire network, a strong password can protect it. According to one estimate, it would take a computer three sextillion years to crack a randomized password that’s 20 characters long and contains uppercase and lowercase letters, numbers and symbols. That’s why we recommend following these best practices to keep your users and network safe.
Best practices for employees and users
- Have long passwords with at least 8-12 characters. The longer the password, the more secure it is.
- Increase the complexity of your passwords by using lowercase and uppercase letters, numbers and symbols.
- Don’t set obvious passwords. According to one report, around 23 million accounts have the password “123456.”
- Don’t use the same password across accounts, websites and services.
- Change passwords periodically, once in 90 days at least.
- Don’t store passwords in spreadsheets or write them down where others can see them. Consider using a solution dedicated to password management.
- Avoid using real words in your passwords to evade dictionary attacks so hackers can’t log in just because they systematically tried every word possible.
- Have difficult answers to password security questions. Don’t use any information that a hacker can guess like the name of your pets or kids.
- Consider using a password generator to set a randomized password.
- Use fingerprint authentication or facial recognition when possible as they are more secure.
Best practices for your IT team
- Cap login attempts. Don’t allow more than five incorrect attempts.
- Allow long passwords. Don’t place a restriction on characters.
- Encrypt passwords so they are hard to decipher even if a hacker gains access.
- #LayerUp by implementing multifactor authentication (MFA) and two-factor authentication (2FA).
- Change an employee’s password after they leave your organization.
- Run password audits to test if your network can withstand common attack types like dictionary or brute force attacks.
- Remind your employees and users of the best practices we shared above.
- Use a strong password manager that encrypts the passwords in your database and alerts you of any dangers.
#LayerUp on World Password Day
Passwords are only the first line of defense against cyberthreats. If you really want to keep your network and organization safe against ransomware and other threats, you’ve got to add layers of protection by implementing multifactor or two-factor authentication.
Although it’s a relatively easy step to take to increase protection, many organizations have thus far been reluctant to take it.
That’s why the #LayerUp campaign was created for World Password Day. It aims to promote the implementation of multifactor and two-factor authentication.
Multifactor authentication (MFA)
In MFA, a user has to confirm their identity more than once. In other words, MFA is a method of authentication that uses two or more factors to achieve authentication. The factors that can be used for authentication include:
- Something you know (e.g., password, personal identification number — PIN)
- Something you have (e.g., a recognized device)
- Something you are (e.g., biometric such as fingerprint or facial recognition)
Two-factor authentication (2FA)
2FA is a subset of MFA. It follows the same logic — a user has to prove who they are more than once; they have to verify their identity twice.
Why organizations should #LayerUp
The key benefits of MFA and 2FA are:
- They add an extra layer of security.
- They are better at verifying the identity of the user.
- They meet regulatory requirements.
- They are effective even in remote environments with BYOD policies.
- They are easy to implement.
- They increase the productivity of your IT team by reducing the number of tickets your users and employees raise for securing their accounts and devices.
Factors for authentication
Apart from using their passwords, users could use the following authentication factors to identify themselves.
One-time passwords: Users can receive a unique one-time password on their registered mobile number or email address to validate their login attempt.
Authentication from recognized devices: Users can validate their login attempts from a separate device that’s recognized by the application or service.
USB or electronic device tokens: Users can use a USB key or electronic device to generate a unique code every time they wish to log in to their account or device.
Fingerprint or facial recognition: Users could use their unique physical features like their fingerprint or face to validate their login attempts.
Passwords are a gateway to greater cybersecurity
Although it’s been 10 years since World Password Day was launched, we still aren’t free from the risks posed by hackers.
Passwords are our first line of defense against them. However, they are made vulnerable by bad user practices and efficient attack methods.
Having said that, there are several steps you can take to protect your users and your environment. Educating yourself and your users on password best practices is the first of those steps. Then, it’s important to #LayerUp by implementing multifactor or two-factor authentication.
Our best bet against hackers is a combination of methods. This World Password Day, let’s not skimp on security and use all the tools we have at our disposal to keep all users and organizations safe.
Let’s continue to educate ourselves and those around us on the importance of creating strong passwords and the best practices of password management because user education is important. The more secure you make the environment, the less convenient it is for end users, so you need to carry them with you on the cybersecurity journey of your organization.