There is no question that multi-factor authentication has grown in popularity; it is often required in workplaces now, especially in sensitive sectors like banking, healthcare and law enforcement – and legislation encourages it. This approach relies on three main factors: what you have – devices like a USB or swipe card; who you are – biometrics such as facial, voice or fingerprint identification; and what you know – passwords.
Unfortunately, although it sounds like the most basic, this third factor is often not given enough priority, as too many people rely heavily on the belief that the other factors required for authentication can make up for weak or poorly-protected passwords. But it is important to remember that there can be flaws with the other parts of the process, even if they rely on advanced technology.
After all, more than 50% of cyberattacks in 2021 resulted from stolen credentials, according to Verizon’s 2022 Data Breach Investigations Report. As we mark Cybersecurity Awareness Month across the United States, it is a good opportunity for employers to re-examine their password policies, even if they have what they think are strict password guidelines and sophisticated MFA systems in place.
Easy Ways to Create Hard Passwords
Many organizations have requirements for passwords, like the number and types of characters they must contain. But this doesn’t necessarily result in strong passwords. Employees can still use obvious words, like the company’s name, and just capitalize a letter or add the date. If hackers obtain partial versions of such passwords, they are easy to fill in and complete – or just outright guess.
Organizations should encourage employees to use a sentence or phrase rather than a word to combat this, as these are more difficult to decipher or guess. When possible, passwords should be in a foreign language, especially one that uses different characters, because most password tracers only work in English. In addition, organizations need to ban certain words, like the name of the company or department, in passwords. Azure and other IT service providers can produce a list of words not to use in passwords based on what the company does, where it is located and other factors. Systems can then be configured to prevent certain words from being part of passwords.
Although it sounds counterintuitive, another way to avoid weak passwords is not to ask employees to change them too frequently. If frequent changes are required, employees often do not alter the password significantly; they simply add a number or letter, which defeats the whole purpose of rotating passwords. Unless a breach is suspected, twice a year is often enough to require a change.
How to Protect Passwords
Passwords should not be stored on computers’ hard drives, in emails or jotted down on pieces of paper stuck to the screen. Rather, organizations should invest in password vaults. There are many easy-to-use cloud-based solutions for this, and those work well in many workplaces. However, in very sensitive fields, like law enforcement, finance or government, it is better if password vaults are located on the local network, preventing outsiders’ access. These vaults are less user-friendly, especially with the rise of remote and hybrid work, but they still serve an important purpose in many cases.
Even if passwords are strong, companies must avoid using them on multiple accounts. If a bad actor gets hold of a widely-used password, it can grant access to multiple accounts, increasing damage from a breach or attack. We saw this recently when multiple accounts at the business magazine Fast Company had the same simple password, enabling a hacker to access email servers and other areas.
Avoiding password reuse is often a challenge when it comes to onboarding, when employees are commonly issued temporary passwords and then asked to change them after initially logging into a system. I often see that an organization, for the sake of simplicity, uses the same temporary password for every new employee. This creates a situation where the same password is used for multiple accounts, especially because not all new employees choose a new password. It also opens the risk of insider attacks, as veteran employees could easily remember and use this password to access newer employees’ accounts. And former employees, who remember the password, could use it to access information to which they are no longer authorized.
Finally, organizations need to take a proactive approach to password hygiene, gaining visibility into their overall password landscape and testing how strong they actually are. There are automated tools that companies can use to figure out how many people are using the same password or a variation of the same password. Companies should also produce hashed versions of the passwords in their systems and then evaluate how long or how many resources it would take to extract the clear text versions of them.
Passwords may be basic. But that also makes them especially important. Even as biometric and other authentication processes advance, passwords will still be key; and will remain one of the realms of cybersecurity where every single user can make a difference in protecting their organization.