The sad truth is that many breaches begin with stolen or weak passwords. Hackers can use brute force attacks to crack passwords, either by cycling through stolen password lists or testing the alphabet, numbers, and special characters in a trial-and-error method. The tools used to crack passwords are free and fast; and not much effort for a hacker. According to Verizon?s 2019 Data Breach Investigations Report, stolen passwords (credentials) are routinely a gateway to a breach.
Password security is essential for the ongoing protection of business assets, business operations, and workforce productivity. At a minimum, every organization needs a strong password policy that establishes enforceable standards for managing passwords and highlights the critical role the workforce plays in securing business operations.
Foundational: Create a Strong Password Policy
A strong password policy to strengthen cybersecurity posture includes a set of rules approved by business leaders that enforces strong passwords, secure usage, and encrypted storage.
- Educate the Workforce. Much of our workforce is unaware that poor password habits can put the company at risk. Educate your workforce that they should not use work passwords for a personal site and they should not store the password on a Post-it note.
- Require Strong Password. The more complex the password; the harder it is for a hacker to crack. A strong password should contain at least eight characters, including a mixture of numbers, symbols, and uppercase letters.
- Require Multi-Factor Authentication. A "password-only" strategy is no longer an option in this constant data-breach-ridden world. Two-Factor authentication uses two to three bits of information to verify your identity: (1) something you know (password); (2) something you have (mobile device or hardware solution), and (3) something you are (fingerprint or biometric).
- Password Expiration. Expiring a password offers a false sense of security and annoys the workforce. Multi-factor authentication is a more effective security policy. Password should be reset if stolen (breach communicated to the workforce) or forgotten.
- Prohibit Sharing Password. Passwords should not be shared. All user activity is unique and traceable back to the authorized user.
- Password Storage. Passwords should not be stored in clear text. Passwords should be stored using a one-way hash at rest.
What?s Next? Beyond The Password
Requiring only a password for account authentication is a weak strategy, as demonstrated by the increased rate of compromised credentials. Increased digital adoption raises the importance of authentication. New authentication technology is moving away from static authentication, such as the login and password we are all familiar with, and moving towards dynamic authentication. Dynamic authentication would require log-in to be different every time through one-time passwords, biometrics, or a frictionless authentication where behavioral biometrics, data analytics, and machine learning to make informed authentication decisions.
Interested in learning more?
Let?s schedule a meeting where we can discuss your business?s password policy and how it plays into your overall cybersecurity plan.