A lot has been said and written about the importance of having a strong password strategy. Unfortunately, it seems that many password strategies need to be revised from the ground up because compromised passwords are responsible for 81 percent of hacking-related breaches, according to the Verizon Data Breach Investigations Report.
One reason why passwords are still responsible for so many cybersecurity incidents is that many organizations rely on outdated advice that has no place in a world where users log in to dozens of different services from their work computers and personal devices alike. Weak passwords and unreasonable password management practices can expose sensitive information to malicious hackers, who won’t think twice before using it for their own selfish gains.
The good news is that closing the password security gap isn’t nearly as difficult as it may seem at first. It simply requires strict adherence to basic principles of password management, which need to be updated on a regular basis to reflect the constantly changing threat landscape.
-
- Passphrases Over Passwords
The National Institute of Standards and Technology (NIST) is responsible for some of the most widely recommended password practices. In the past, the federal agency, whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, recommended random passwords consisting of letters, numbers, and special characters.
Recently, the NIST updated its password guidelines, countering its long-held philosophy that obscure passwords are safer than passwords that are easy to remember.
The updated Special Publication 800-63B on Digital Identity Guidelines recommends long passphrases consisting of multiple words, and it advises against mandatory password resets because they lead to predictable passwords such as “P@ssword” or “!1234abcd!new”.
A passphrase like “2 Black Dogs Looked At Me From Across The Street.” includes letters, numbers, and special characters, is easy to remember, virtually impossible to crack, and extremely difficult to guess. While passphrases do take more time to enter than passwords, this downside can be eliminated with password management software.
-
- Password Management Software
The main selling-point of password management software like LastPass is that it removes the need to remember complex passwords, but it can do far more than that. To start with, password management software can automatically enter saved passwords. This encourages users to let their password ideas run wild and use much longer passwords and, most importantly, passphrases than they would otherwise.
Additionally, password management software can automatically generate unique passwords based on specified password requirements, helping organizations ensure that employees don’t use weak passwords that could be easily brute-forced.
Some password managers can even check online breach databases such as Have I Been Pwned? and alert users before cybercriminals have a chance to exploit the stolen password. These and other features make password management software an excellent addition to any organization’s digital toolbox.
-
- Multi-Factor Authentication (MFA)
Multi-Factor Authentication is an authentication method that requires multiple pieces of evidence during a single authentication event. In practice, the most common form of MFA is the combination of a password and a one-time authentication token. The additional layer of security greatly decreases the chance of an intruder gaining access to critical systems and data, which is why the NIST recommends organizations to use MFA whenever possible.
In Special Publication 800-63B on Digital Identity Guidelines, the NIST warns against the use of SMS for MFA, explaining that this popular means for authenticating users is vulnerable to SIM swap attacks, which involve a malicious transfer of an existing phone number to a new owner. Security experts have also been trying to raise awareness about the security flaws in SS7 networks used by most carriers, some of which could allow an attacker to intercept an SMS authentication token and use it before its intended recipient has a chance to do so.
The NIST instead recommends software-based authenticators such as Duo which safely store authentication tokens in a central location and protect them with state-of-the-art encryption.
Conclusion
Every day, countless user accounts are compromised because the passwords that are supposed to protect them are weak or stored in an insecure manner. That’s because many organizations still rely on outdated password strategies that don’t sufficiently address today’s cybersecurity challenges. In this article, we’ve described three ways organizations can rethink their password strategies to improve their cybersecurity posture and decrease the chance of experiencing a data breach. If you would like to learn more about our cybersecurity solutions, feel free to contact us for more information.