Password Security - Strengthening and Protecting Your Passwords
Following on from ‘Password Security: It’s Time for A Password Overhaul’, we dive into our recommendations on how you can strengthen and protect your passwords and discuss the future of the static password.
Create Complex Passwords
Passwords should be at least 12 characters in length and have a balance between their length and your ability to remember them. There is no point in creating a 32 character password that you will have difficulty remembering.
For every extra character in your password, the feasibility of cracking vastly decreases.
|Password Length||Cracking Time|
|8 characters||5 hours|
|9 characters||5 days|
|10 characters||4 months|
|11 characters||1 decade|
|12 characters||2 centuries|
Estimating Password Cracking Times
Always create a password with a mix of upper and lowercase letters, numbers and special characters. When used in combination, the complexity and length make it difficult for malicious actors to guess at random.
- Never Reuse Passwords - A single password used over multiple accounts is a malicious hacker's dream. If one account with the password is compromised, all accounts with the same password are at risk.
- Never Store Passwords in Plain Sight - It may be tempting to do so, but you should never record your password on paper, sticky notes or on your desktop. Passwords stored in plain sight are easy to spot, making them very easy to steal.
Use Password Management Software
Password management software takes the hassle out of remembering your passwords and combinations for your software and devices. They essentially generate and store all your passwords into one system, locking them behind one single strong password.
Multi-Factor Authentication (MFA) is an additional security step that should be used on all accounts which need a password. It’s an effective way of adding another roadblock to an account, helping to prevent malicious actors from accessing your accounts.
Multi-Factor Authentication will generate a random token which you will need to supply to login into your account. These tokens can be sent to your phone or generated through an app.
Invest In Training
Educating employees is key to protecting your business from cybersecurity attacks caused by weak passwords. To be effective, training must be consistent, engaging and give real-life examples of what to look out for.
Education is key to ensuring your organisation is protected from cyber security attacks caused by weak passwords.
There is a lot of conflicting advice on what constitutes a secure password online so employees must understand best practise and are fully versed in what the organisation's password policy requires of them.
Training should include information on:
- The risks of recycling passwords over multiple accounts
- How to create a strong and secure password
- How to use a password manager for password management and password generation
- How to enable Multi-Factor Authentication on all accounts
The Future of Passwords
Passwords in one form or another have existed for centuries. In the IT environment, they’ve been around since the early 1960s.
We see billions of passwords leaked every year. Last year alone, 5.9 billion accounts were affected by password breaches and they are unfortunately one of the biggest barriers to a solid cybersecurity stance, with 61% of data breaches involving the use of unauthorised credentials.
Due to this, and other factors, alternatives are being sought to protect the sensitive information we hold.
Passwordless Authentication is a method gaining popularity in recent years. Instead of relying on a static password or knowledge-based secrets to access accounts, it relies on a possession factor such as a mobile authenticator app, a hardware token or a biometric trait.
Passwordless Authentication is inherently more secure than static passwords but is not foolproof. The method greatly reduces attacks as no passwords can be leaked or intercepted, however, a multilayered approach should still be considered to increase the level of security.
What are the benefits of Passwordless Authentication?
Passwordless Authentication can potentially enhance cybersecurity if put in place correctly. As there are no passwords for malicious attackers to attempt to phish or compromise, the likelihood of being exposed to a phishing attack is greatly reduced.
It can also enhance user experiences as systems and devices can be accessed without the need to remember complex static passwords. This in itself eliminates password fatigue and human error when dealing with a multitude of passwords for different accounts, password resets and account emails which could potentially be a phishing scam.
Is the future Passwordless?
In the past few years, we have had more cyberattacks than ever before and companies are beginning to realise that breached static passwords are one of the primary reasons for data breaches and cybersecurity incidents.
Passwordless authentication may be on the cards for taking over from the static password but as they are still being used by millions and it is the easiest and cheapest system to implement, they will not disappear altogether any time soon.
How can we help?
We hope these tips on password security give you a better understanding of how to develop a robust password security policy and what exactly you need to train your employees on.
However, these simple recommendations can only go so far.
Secora Consulting provides a range of services that can help you to assess the security of your organisation. Our cyber security assessment focuses on gaining an insight into weaknesses in your organisation's current security posture which may you vulnerable to the most common cyber-attacks.
Our baseline assessments focus on quickly bringing your systems in line with best practices by identifying missing patches and known issues in your systems. If you are interested in a more in-depth assessment of your infrastructure, ask us about our penetration testing services, where we will identify and exploit vulnerabilities in your network, showing just how far an attacker could get. Get in touch with us today to discuss your specific requirements.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.