World Password Day occurs each year on the first Thursday of May. This year, May 7th will mark the occasion. There’s no better time than the present for organisations to assess cyber-hygiene best practices for keeping data and devices secure from cyber-threats.
While World Password Day is a timely reminder for internet users to evaluate their individual password strengths, individuals and organisations should prioritise cybersecurity as a year-round endeavour that goes beyond simply reinforcing best password practices.
In many cases, a password is the only means for protecting data. However, we’ve long known that passwords are the weakest link in the security chain, and malicious intruders know it as well. With more employees working remotely due to COVID-19, it's more critical than ever to go beyond solely relying on passwords for security. While it is strongly recommended to eliminate passwords wherever possible, the reality is, today’s world still requires passwords.
Consider the following best practices to make your passwords and environments as secure as possible:
#1 If you must use a password, go long
As many recent data breaches have demonstrated, weak passwords have consistently been proven as the number one avenue for most successful cybersecurity breaches. Just last year, the UK's National Cyber Security Centre (NCSC) reported that “123456” was the most commonly hacked password recurring in more than 23 million records breached. That said, it should come as no surprise to learn that in many instances, the underlying cause of data breaches is often the use of common words or a single string of numbers that can easily be guessed.
In order to make passwords as secure as possible, cybersecurity industry standards call for strong passwords to be comprised of strings of as many as 32 to 64 random characters to better ensure hackers will have difficulty guessing the correct password. Using a longer, simpler password is still more secure than a short, complex password. This is because the longer the password is, the more time and resources it takes to crack. As the average hacker is typically focused on the path of least resistance, the more difficult the challenge, the less time they are willing to spend on the endeavour.
#2 Use a different password for each account
For example, if a hacker breaches one account, nothing stands in the way of them using the same password to gain immediate access to the other accounts. This puts valuable personal data, like finances and scheduling, at risk. Knowing a person’s spending patterns, savings, and location at any given moment allows hackers to inflict maximum damage through identity theft and other means.
Another beneficial approach is to set a different password for each account. When using a single password for multiple accounts, even if it is a strong password, there still is a constant risk that the password will eventually be compromised or stolen.
In a worst-case scenario, if the same password is used across multiple platforms, it creates a single point of failure that can be taken advantage of by bad actors to gain access to multiple applications. This frightening scenario puts all affiliated accounts and the relevant data at risk.
#3 Leverage a password manager
Fully understanding what makes for a strong password is one thing, but how does one manage an average of 70-80 passwords? In most instances, strong passwords that contain lengthy strings of random characters are too difficult for people to know by memory. As a result, users are more likely to take risky shortcuts, such as writing down their passwords or storing them in unencrypted spreadsheets.
One increasingly popular option to securely store multiple passwords is through a password manager. Password managers function as an encrypted repository for storing passwords associated with various accounts. All passwords stored in a password manager are secured by a single master password or preferably, through alternative forms of authentication.
Password managers not only save users time, but ultimately help organisations and personal users maintain strong password security. Of course, saving time can boost efficiency and productivity, which often saves money as well. There are many examples of password management solutions available online, including 1Password, Dashlane, KeePassXC, and LastPass. Choose a product that supports Multi-Factor Authentication (MFA) and be sure to use it.
#4 Implement multi-factor authentication whenever and wherever possible
The fact remains that even the strongest passwords can easily be stolen and compromised. According to the 2019 Verizon Data Breach Investigations Report, as much as 80 per cent of data breaches result from compromised passwords. Most hackers whose aim is to infiltrate organisations prey on the inherent weakness of password security by simply tricking a user into sharing their password by means of a well-crafted spear-phishing attack, malware, or keylogging.
MFA offers one solution to this threat and helps overcome the limitations of traditional password security, augmenting or even replacing passwords entirely by adding a second or third form of verification. In turn, MFA has been proven to render attacks harmless even in the event that a user’s credentials are stolen or compromised because the attacker would still not have the additional authentication factors.
Many of today’s MFA solutions offer the flexibility to increase security without negatively affecting usability. Mobile-based authentication methods, such as push notifications and one time passwords (OTPs), are inexpensive, intuitive, and can be rapidly deployed, while offering the added convenience of leveraging a user’s mobile or personal device. Furthermore, existing investments, such as Radio-frequency identification (RFID) proximity badges used to physically access buildings can be leveraged to unlock workstations through MFA as well.
Currently, MFA can be leveraged for passwordless authentication to many enterprise technologies. For example, a push notification can be delivered to a user’s mobile device. The user authenticates on their device and simply approves the request, and they are granted access into the system, all without using a password. Push notification or OTPs can also be combined with emerging biometric capabilities, such as a fingerprint scan to access a user’s smartphone, to provide a powerful, yet easy-to-use form of MFA.
Organisations can also tailor the level of authentication required based on the risk level a user presents. For high risk scenarios, more stringent authentication can be required, while users in low risk situations don’t have to be overly burdened with additional steps when logging in.
For example, in today’s increasingly remote work environment, it is crucial that contextual factors, such as a user’s geographic location, be taken into account to adapt the level of authentication required based on the risks involved. Whether users are in the office, working from home, or in another country altogether— the data is contextual, and as a result, different authentication policies may apply.
Password security is here to stay…for now
With each new World Password Day, there are always questions surrounding the idea of a passwordless future. Bad password policies and practices weaken an organisation’s security and leave valuable data vulnerable to hackers. The reality is that when continuing to rely upon passwords to combat today’s threats, it is essential to have good password policies in combination with flexible MFA. In the years ahead, it’s entirely possible that user authentication will rapidly evolve beyond passwords – for the sake of both convenience and security.
James Litton, Founder and Chief Executive Officer, Identity Automation