Despite the growth of passwordless authentication methods, such as biometrics and single sign-on, traditional passwords and usernames continue to be the primary means of protecting data. Cyber-criminals are certainly aware of this fact – according to Verizon’s 2021 Data Breach Investigations Report, compromised passwords are responsible for 81% of hacking-related breaches.
Yet, poor password practices, such as easily guessable words and reuse, are a problem that never seems to improve. Neil Jones, director of cybersecurity evangelism at Egnyte, commented: “For as long as I can remember, easily-guessed passwords such as 123456, qwerty and password have dominated the global listing of most commonly-used passwords. Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization’s remote access solution and can view corporate users’ ID details.”
For organizations that are collecting and holding more data than ever before, taking steps to substantially reduce the ability of malicious actors to compromise their accounts is arguably the most critical component of their cybersecurity strategy. For this year’s World Password Day, Infosecurity has compiled a list of actions organizations should take to improve their employees’ password security practices.
1) Help Employees Understand the Importance of Password Security
A crucial component of improving adherence to password policies is educating employees on the potentially dire consequences of not doing so to themselves and their company. Hank Schless, senior manager, security solutions, at Lookout, said: “The best thing to do aside from sharing the astronomically high number of passwords compromised every year is to make people understand the value of the data that these passwords are supposed to protect. Strong passwords can be the difference between an attacker gaining access to your bank account information, government identification and more if they’re unable to breach your account.”
Egnyte’s Jones concurred, advising: “Educate your users that frequently-guessed passwords such as 123456, password and their favorite pets’ names can put your company’s data and personal reputations at risk.”
2) Educate Users on How Credential Compromise Can Occur
Reinforcing the various ways login credentials are compromised can also substantially reduce the chances of organizations being breached in this manner. The most common of these are social engineering campaigns, such as phishing, that try to lure users into voluntarily revealing their username and password. “Remind users that unanticipated email messages, texts and phone calls can be attempts to capture their login and password credentials,” advised Jones.
In addition, employees should never share their login credentials with anyone or leave them exposed, even to an internal IT team. This includes writing them down on post-it notes or saying them aloud. Jones observed: “Users should never provide business login credentials (such as their email addresses) in public forums, particularly within earshot of others.”
3) Establish Policies to Prevent Password Reuse
A basic step IT teams should take is automatically forcing employees’ passwords to be changed regularly, such as once a month. Cian Heasley, a security consultant at Adarma, explained: “The rule of thumb when it comes to passwords is that you should never reuse them. Reusing passwords is a massive red flag and can leave users’ accounts susceptible to being compromised.”
It is particularly critical that measures are established to prevent already compromised passwords from being used. Darren James, head of internal IT/product specialist at Specops, advised investing in tools that can check whether any user’s passwords have not been stolen in a previous cyber-attack: “Don’t reuse the same password as these can be uncovered in a breach. With the right tools, IT teams can automatically locate any stolen credentials and automatically block weak passwords,” he said
"With the right tools, IT teams can automatically locate any stolen credentials and automatically block weak passwords"
Jones’ Egnyte also pointed out ways of preventing automated techniques used by cyber-criminals to crack employees’ account credentials. “Prevent brute force password attacks by immediately disabling users’ access after multiple failed login attempts,” he commented.
4) Advise User-Friendly Password Alternatives
While the goal is for staff to use unique and complex passwords that are hard to guess, pushing too hard on this issue may have the opposite effect. Adarma’s Heasley said: “To maintain healthy password habits, it’s important that people make their passwords manageable. This can be done by striking a balance between memorable and complex passwords. People are more likely to forget an overly complex password, making it of no use. Users should try to use passphrases where they can arrange unrelated words in an odd order to create a powerful password.”
The UK’s National Cyber Security Centre (NCSC) advises users to combine three random words to help strike this balance between complexity and ease.
Even slight tweaks to existing passwords can make a significant difference. Lookout’s Schless commented: “Remembering every complex password you create is difficult. To make life more difficult for attackers trying to crack your password, a simple practice is to replace letters with numbers or symbols that are easy to remember. For example, replacing the letter ‘e’ with a 3, or the letter ‘a’ with an @ symbol.”
5) Implement Multi-Factor Authentication
Another measure organizations can take is mandating additional layers of authentication on top of passwords. MFA commonly comes in the form of unique codes sent via text messages, but several more secure alternatives are emerging. Specops’ James said: “It doesn’t matter what applications or systems you are using: always make sure 2FA or MFA are on the requirements list. On top of that, try to make sure those other factors aren’t weak ones, e.g., what’s your favorite film or send an SMS to an email address/mobile number; instead, try to use Biometric systems like Touch ID/Face ID or authenticators such as Google or Microsoft or even Yubikeys.”
For Sam Curry, chief security officer at Cybereason, MFA is essential given that it only takes one employee failing to adhere to strong password practices to cause a breach. “When you force employees to adhere to strict password policies and require them to change passwords too often, they will tend to use simpler passwords and ones that will most easily comply with your policy, which is counterproductive. My advice to companies is to instruct employees not to trust passwords and use additional factors in all accounts and services,” he outlined.
6) Use Password Managers
Organizations should also consider offering employees the chance to use password manager systems. “Password managers generate complex, random and unique passwords for all the individual sites a user visits and stores them all securely so users don’t have to worry about remembering them. They also alert users if they are reusing the same password across different accounts and notifies them if a password appears within a known data breach so that they know to change it,” explained Adarma’s Heasley.
Once a user is familiar with such a system, it will ensure their credentials are always strong while not impacting usability. Thomas Richards, a principal security consultant at the Synopsys Software Integrity Group, said: “Password managers provide many benefits that assist people with managing the many different passwords needed in today’s world. They provide secure storage, feedback if a password is considered weak and can generate complex passwords as needed. All of these things help the user maintain their passwords according to best practices to reduce the risk of a compromise.”
Password security is increasingly challenging and vital in an era when organizations are storing unprecedented levels of sensitive data. Installing strong password practices on staff has proven particularly difficult for businesses; however, a range of steps can be taken to radically improve the situation, revolving around employee awareness training, policies and tools. With passwords set to be the primary means of authentication for many years to come, such approaches should become standard practices for organizations serious about their cybersecurity.