At most companies, every single employee is tasked with creating passwords for several accounts and protected files — following specific guidelines like character limit, special characters and/or numbers. While these passwords may reach the general needs for account access and basic security, many do not provide a strong enough defense against threat actors who take advantage of weak and/or repeated passwords to access sensitive data.
This is why passwords remain an attractive and lucrative target for attackers. For example, dropbox sign was recently hit by a major security breach where unauthorized users gained access to users’ sensitive information, including emails, usernames and general account information associated with all users of the digital signature product. With this particular attack, some users also had their phone numbers, authentication information such application programming interface (API) keys, open authorization (OAuth) tokens and multi-factor authentication and passwords compromised.
Despite passwords being an important cybersecurity protection, many users are desensitized to password security. Simple or serialized passwords are used for convenience, which can pose security risks that threat actors are looking to take advantage of — especially as these are often used repeatedly across many personal and professional accounts. It’s up to employers and their information technology (IT) teams to ensure employees are trained on proper password security and to reinforce its importance on a regular basis.
Training employees on effective password management can help increase security protection against potential cyber threats. Let’s evaluate the top 10 tips to implementing proper password security.
Top 10 tips for Proper Password Security Management
1. Encourage strong password strength.
This is a basic requirement: Avoid the use of simple or short passwords. The longer the password the better. It is recommended to use a random long password, especially for sensitive accounts. Advise employees to use a phrase to help the password reach a longer character limit. Generally, a password that has over 20 random characters can better protect the business from threat actors.
2. Encourage the avoidance of password rotation.
Recent guidance from the National Institute of Standards and Technology suggests not to require password changes unless there is evidence of a breach. Unnecessary regular password changes would likely prompt employees to begin to utilize a serialized password method rather than thinking of a solid, well-protected password if they have to do it on a regular basis.
3. Ensure employees are using different passwords across their accounts.
Having different passwords for different accounts prevents being caught off guard in credential stuffing attacks. These attacks prey on the use of identical passwords across different accounts as was the case with the Roku security hack earlier this year, where more than 576,000 accounts were exposed.
4. Provide password management training.
Training can help prevent identical, similar or even serialized passwords from being utilized within the organizations. While these generic passwords are easy to remember, they are also easy to hack.
5. Add password managers to shared accounts or files.
Password managers should be required any time there is shared password access or group password changes are needed. This also provides an audit trail of password access if needed.
6. Multi-factor authentication (MFA) is non-negotiable.
Without a doubt, multi-factor authentication (MFA) must be implemented to add an extra layer of security whenever accessing key programs, platforms and apps. While it may be annoying to have to enter in an additional code every time you log in (depending on the app), this can provide extra protection. Some threat actors are likely to move on rather than try and get around MFA. However, it must be said that persistent actors have found ways around MFA via social engineering or reverse-proxy style attacks that capture a user’s authentication token. However, despite such MFA bypass hacks, MFA remains one of the easiest and best measures to quickly protect accounts.
7. Use passkeys where possible.
This type of identity authentication uses public key cryptography with the private key being stored on a smartphone, a hardware key, password manager, etc. Not only are passkeys more convenient, but there are also no secrets stored on the service end of the login process — so even if breached, there are no passwords for threat actors to access.
8. Secure IT admin access.
Although this may be obvious, establish time limitations, require an audit trail or require other IT admins to enable timed access. Privileged access management (PAM) can help with this and add that additional layer of protection on top of effective password management.
9. Avoid third-party logins with work accounts.
Using work accounts as logins for a number of websites puts that information at risk, such as using a Facebook or Google email account. If the third-party account is subject to an attack that can open the risk of data being accessible from other accounts, too.
10. Monitor password access and use.
It’s important to have a birds-eye view of IT security across the board, seeing how many devices have password access, and how often they are being used. In the case of a threat actor breach or employee malpractice, IT teams will be prepared to act accordingly to mitigate further risk.
Taking these proper measures and precautions for effective password management can mitigate risks of breaches from threat actors. Although there are many other cyber hack methods, password breaches remain high, so it’s critical for all employees to have the understanding and guidance for best password management.