News

Blog Post: Password Security – Best Practices

As many workers continue to work remotely, password security has never been more crucial as the threat surface expands and creates more vulnerabilities.

The increase in cyberattacks has become a concerning statistic that all organisations must be cautious of, all of which have been largely enabled by a breach of login credentials.

IT Governance state that there have been 20,995,371 breached records in March, with 151 recorded incidents.

Cyber Criminals can use advanced software programs and databases that will assist them in figuring out credentials that might work to gain access to your password-protected accounts.

Password data breaches have been widely reported in several large, popular online services, such as LinkedIn, Facebook, and eBay and many others. It has also been widely documented that some popular online services have had millions of user records leaked, and every password used on these online services will have been compromised in the leaked records.

However, smaller businesses are hacked on more of a regular basis, often due to a lack of security measures that organisations of this size tend to put in place, with many smaller organisations having the opinion that “it won’t happen to us”, unfortunately in these scenarios, it is often a breach that causes a change in mindset, with tighter security measures being implemented post-attack, instead of having the protection in place pre-attack.

But how can you maximise your organisation’s password security to avoid becoming a victim of such cyberattacks? Read more for our best practices that will help improve the password security measures in your organisation.

Use a Password Management Solution

If you are using different passwords for different login platforms (which is highly recommended), it is unlikely you are going to be able to reliably recall each individual one, especially as strong passwords are longer than eight characters, and are hard to guess, so you will need to note them down. People more commonly, and worryingly, tend to use applications such as a Word document, an Excel Spreadsheet and more commonly, simply written down on a Post-it-note!

Using a trusted password manager such as Thycotic’s Password Management Software (Secret Server), LastPass, KeePass or some other product is an easier to manage and far more secure solution to use for your passwords.

Thycotic’s Secret Server tool for example, not only allows you to store your business required passwords securely, it also allows your users to save their own personal password details in their private folders, these folders are only available to them, whilst other folders can be approved for access by specific teams or colleagues.

It also allows users to generate and save complex passwords and allows you to automatically launch the login page directly from Secret Server. No more guessing which password you have used, no more incorrect multiple input attempts or password resets required due to incorrect password input.

Password security doesn’t have to be difficult, time-consuming, or over budget. Securing the core of your organisation with password management software is a simple and effective way of bolstering your internal security measures within, strengthening both business password usage and individual user passwords.

Do Not Reuse Or Recycle Passwords

Many people are tempted to re-use and recycle their passwords across different sites, but this means that if a breach of one of those sites was to occur, the hackers will be able to easily obtain access to multiple accounts where you have used the same username and password combination for.

A common user error is also to make minor changes to an existing password, such as changing a single number at the end, golfBuggy;1, golfBuggy;2 etc, unfortunately, if a hacker gains access to one of your accounts or to an earlier password, it is likely they will have visibility of your previously used passwords and will be able to quickly decipher any form of password sequence, making it highly likely that they will be able to ascertain your current password credentials and future credentials if you do not break the sequence.

Hackers can perform “credential stuffing” which is the process in which they use a software or bot, to automatically log into multiple user accounts in parallel, whilst creating a different IP address. They test every username and password combination in the database to check if it matches with another website.

According to the Verizon 2020 Data Breach Investigations Report, 80% of hacking breaches in 2019 were caused by stolen or brute-forced credentials. A brute force attack is when cybercriminals use a series of trial and error to guess your login credentials.

Using a unique password for each site, service or item will cut down the risk of your accounts becoming compromised across different sites. Although this can make it challenging to remember the different passwords used for the sites, it’s the most effective way to avoid multiple breaches using a password management tool such as Secret Server.

Use Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA)

Using Multi-Factor Authentication is one of the most secure and effective ways of providing additional protection to your password-protected account. This process involves having additional factors to log in, meaning that users must present two or more different methods in order to prove their identity.

These multiple types of authentication can include:

  • Knowledge: Information that only the user knows, such as a password, pin or unique identifier.
  • Possession: Something that only the user has, such as a security token /USB stick, or a mobile phone, where an access code will be sent to the contact number associated with the account.
  • Inherence: Something only the user is, which includes the use of biometric data such as facial recognition, voice recognition or fingerprint scanning.
  • Location: Somewhere the user is, this is usually applied in adaptive MFA, where checks are made based on the users’ location, for example granting access if on a company site or approved network location.

Multi-Factor Authentication prevents more than 96% of bulk phishing attempts, and more than 76% of targeted attacks, Google reports.

MFA offers an extra layer of security, and can also be incredibly effective for remote working, which has been a popular gateway to cyber-attacks, having opened a whole new set of vulnerabilities for cyber-criminals to exploit. With Adaptive Threat Multi-Factor authentication solutions, they will take into account the risk of where the access request is being presented from, for example, it will analyse the user’s location and device before allowing access.

Whilst text messaging (SMS) 2FA has become a popular and widely used method for multi-factor authentication, there are other more cost-effective and secure options than SMS-based two-factor authentication, such as traditional MFA security keys or third-party authenticators.

Security keys such as YubiKey by Yubico or Google Titan offer a strong form of protection when it comes to the logging in process and will maximise your organisation’s password security.

Third-party authenticator applications, such as Microsoft Authenticator, Google Authenticator and Authy, enable two-factor authentication in another way, they normally work by displaying a randomly generated code that is frequently refreshed which the user can use, instead of sending an SMS or utilising an alternative method. The main advantage of using these types of apps is that they typically continue to work even without an internet connection.

Creating a Complex Password

Choosing the right type of password is one of the biggest challenges for technology users. Using a weak password will expose you to a far greater risk of your accounts being compromised, which can lead to severe consequences. That’s why it’s important to get creative and complex with your passwords.

TechRepublic reports that in the 200 most commonly used passwords in 2020, more than 2.5 million people used “123456” as their passwords and were exposed more than 23 million times in data breaches.

It is commonly reported that on average it takes a hacker just a couple of seconds to crack an 11-character password, containing only numbers. However, with the use of both upper- and lower-case letters, the time taken for a hacker to crack a 7-character password increased to just a minute.

If you’re using a password manager, it can generate a strong, essentially random password and store it for you, and this will be highly unlikely to be guessed.

If you’d rather create your own password, it’s recommended to avoid common words and character combinations. Also avoid using obvious passwords, such as your name, nickname, parent names, or anything that is associated with you that anyone could find from social media. Creating a longer password, with 11 characters or more with upper, lower case, numbers and special characters is strongly recommended.

If your password is at least 11 characters and uses upper and lowercase letters and numbers, it is estimated that it would take a hacker 41 years to crack!

If you have to use something that is memorable (if you’re not using a password generator or password management tool), then using a combination of three or four completely random words together, along with special characters will improve your password security.

Don’t Enforce Regular Password Changing

Many organisations enforce a regular password expiration as it previously was advised to do so, however, this is now outdated and it appears regular password changing can do more harm than improving security. Many systems will force their users to change their passwords due to expiration, this is typically every 30, 60 or 90 days.

It has been known that when users are forced to change their passwords regularly, they tend to make only minor variations of the previous password, for example, ‘golfbuggy13’ to ‘golfbuggy136’. This carries the issue of if the previous password was exploited, the cybercriminal will be able to obtain access to the newly changed password in the same compromised database, or it could simply be guessed.

Resetting the password also doesn’t highlight whether the password has already been compromised, and resetting it will also mean that the attacker will most likely receive the request to update the password too.

The National Security Centre recommends instead of forcing expiry, there are alternatives to improve your security and these include:

  • Ensure a thorough process is in place regarding leaving or moving employees
  • Automatically lock out any inactive accounts
  • Monitor any logins to identify suspicious behaviour, this includes unusual activity, log in times, and any new devices attempting to log in
  • Encourage staff to report any suspicious activities

With this being said, it is critical that all users must change their passwords when they know or suspect it has been compromised.

Updated Staff Training on Cyber Security / Password Security

As the threat landscape changes as technology advances and work situations change, it’s especially important to update your staff with the latest password security practices to help them understand what they need to do in order to protect themselves, and your organisation from hackers.

By implementing stronger password policies overall for your staff, giving them the tools in which to manage their passwords securely and by educating your employees of the potential dangers of weak security, and hacking attempts, including the rise in phishing attacks, your overall security will be far stronger.

At Krome, we can offer effective services and solutions that can help your organisation from falling victim to the growing risk of cyberattacks.

How strong is your company’s cybersecurity?

How confident are you in your organisation’s cybersecurity measures? Does your organisation need a stronger Password Security Policy? Could you benefit from an independent cybersecurity review?

Contact us using our form below to find out more about how we can help your organisation to prevent falling victim to cyberattacks to avoid devastating consequences.

    Required fields are indicated with an asterisk *
  • We would really like to be able to stay in touch with you in the future. Please tick the box below to confirm that you are happy for Krome to contact you with future offers, news or tech events that may be of interest to you.
  • This field is for validation purposes and should be left unchanged.