Password Security: Managing the Threat of Passwords in Organizations
It seems as though not a single day goes by without a news article or social media post revealing that an organization has experienced a data breach, putting the business, its customers, and partners at risk. While hacking may well be one of the common causes of a data breach, it is often weak, shared, or lost passwords that are the vulnerabilities being exploited by bad actors.
According to the 2021 Verizon Data Breach Investigations Report, compromised credentials, such as passwords, are responsible for over 80 percent of hacking-related breaches. Clearly, a crucial part of overall information security is securing your users’ passwords. While there may be standard password security protocols that seem easy to implement, many password security practices are ambiguous, ineffective, and out of date.
The National Institute of Security Technology (NIST) and other agencies have drastically changed their recommendations for strong password policies. The NIST Password Guidelines, NIST Special Publication 800-63B, are part of NIST’s digital identity guidelines. While the NIST guidelines were published in 2017, they were recently updated in 2020.
While these guidelines were created to help facilitate best practices for federal agencies, the password guidelines have been well researched and evaluated, making these guidelines applicable to more than just federal agencies. Though the latest statistics show it has become more important than ever to optimize password protection practices, it’s just as critical to follow password best practices in and out of the workplace.
To keep your organization from becoming the next organization that makes headlines, it’s crucial to understand the common causes of data breaches and other authentication-based attacks, as well as the actions you can take within your organization to reduce the risks.
Reusing Passwords on Multiple Websites and Online Services
The Problem: Your password controls access to your private (or company) data for cloud or online services, such as email, social media, even banking. The biggest risk to your privacy and security is that you will reuse a password between two websites. If the password gets leaked from one website, both accounts can be compromised easily. The more places you reuse the same password, the more places you are vulnerable to being compromised.
Recommendation: Use a password manager to generate unique, complex passwords. Password manager software does all this for you, so you don’t have to worry about or even type in the complex password. Enable 2-factor authentication for any service that lets you. Adding a second login factor makes it much more difficult for someone else to get into your account if they only have your password.
We recommend avoiding using SMS or text message-based codes, as these are no longer as secure as they used to be. Use an app such as Microsoft Authenticator or Google Authenticator to generate one-time use codes for logins. If you are using a password manager and multi-factor logins, you don’t need to change your passwords unless the website requires it, or you think your account has been compromised.
Weak, Stolen, and Shared Credentials Being Compromised
The Problem: Unlike a cloud service, for networks that run internally on business-owned equipment, the risk is not that your password will make its way to the dark web for hackers to use or sell. Instead, the greater risks still come from inside your organization.
While your employees may feel like password sharing passwords is harmless, and they are only sharing passwords to make their lives easier, password sharing actually puts your organization, employees, and customers at risk. Sharing may be caring, but not when it’s your password.
Aside from employees creating weak credentials and sharing passwords, another common problem is employees still having access to confidential and sensitive information after they have left the organization. What is the recommendation? Since the risks are different, the recommendations are also different.
Recommendation: Use a password manager to generate unique, complex passwords. Password manager software does all this for you, so you don’t have to worry about or even type in the complex password. If possible, provide your employees with a password manager for their work accounts (if provided by the org, simplifies central control and revoking access if an employee leaves).
Multi-factor authentication (MFA) or 2-factor authentication(2FA) will not always be available for internal and legacy systems. Since these options are not always available, it is critical to assign your employees only enough access to systems for them to be efficient and productive at their job. We recommend conducting a review of this occasionally (at least annually) to make sure employees have appropriate access to systems and applications.
Password rotation should be implemented across all accounts, systems, applications, services, etc. on non-cloud systems. Password rotation ensures that passwords will not be shared widely and sets an upper limit on the amount of time any password might be accessible to a former employee. This additional step can help reduce any chance of a former employee re-entering your system and accounts, and this will be effective even if something slips through the cracks and gets past HR.
The specific time frame varies, depending on your organization’s industry. For instance, healthcare and critical infrastructures generally require frequent password changes. For non-regulated industries, changing your computer or application passwords should be on a 6-12 month rotation. Studies show that rotating your passwords too frequently results in users creating less secure passwords. Also note: if your organization has high employee turnover rates, it may be necessary to rotate your passwords more frequently than recommended.
Password security begins with the creation of that password. However, it’s not just the responsibility of users to ensure passwords are adequate. It is also up to the leaders in the organization to ensure that passwords are strong enough. Passwords, cybersecurity, and user experience often clash with each other. Strong password security is rooted in an embedded user experience.
Many of your users will always do what makes things easier for them. Unfortunately, many users will continue to do so even when they know that type of behavior compromises their password security. Once your workplace creates the type of user experience that encourages safe behavior, it helps your organization keep everyone’s data secure.
Enforcing strong and effective password policies is an effective way to enhance security, and your organization should invest more time and resources into your password practices, ensuring everyone follows strict password protocols. There are various ways you can implement better password policies, such as enforcing strict password requirements, using tools to securely store data, using encryption, and as always, consulting your IT team to review the best practices for your employees’ passwords.
Servcom USA uses advanced tools and resources that can uncover and prevent vulnerabilities, protecting your organization against data breaches and other authentication-based attacks. Contact us today for more information.