Ensuring that your organization has secure passwords is critical. Company data breaches exposed more than 36 billion records in the first half of 2020 alone, resulting in billions of dollars of lost value.
While not the entire cybersecurity story, part of the solution is to improve password quality. Once enterprises can better protect their accounts and devices, the incidence of serious security breaches will begin to fall.
Unfortunately, many companies are still failing to manage their passwords effectively. Around 60 percent of enterprises, for instance, have more than 500 employee accounts with non-expiring passwords. And 49 percent of employees only change one
character when required to change them.
In this article, we discuss what effective password management is and why you need it.
We then talk briefly about identity theft before moving onto the three best password management practices you can implement in your organization today.
What is password management?
The best way of understanding password management is to view it as a set of guiding principles or best practices. Crucially, it is an active approach to passwords. So instead of relying on employees to change their passwords regularly or improve their quality, you institutionalize these concepts and make them happen.
Businesses face a host of password-related threats. These include:
● Brute force attacks, where criminals attempt to steal passwords using automated tools (that run through thousands of likely passwords)
● Shoulder surfing attacks, where hackers gain access to key log data or literally place a micro camera over a user’s keyboard to see what they are typing in
● Sniffing attacks where hackers steal passwords through an authorized network access
● Login spoofing – forwarding unsuspecting users to fake login pages.
Unfortunately, while criminals are using advanced tools to steal passwords, most organizations are still relying on rudimentary password management methods. The vast majority of firms, for instance, are writing them down on post-its and sticky notes. Or they are using easy-to-guess passwords and sharing them with each other on spreadsheets.
Password management, however, can be much more sophisticated and secure than many organizations believe.
Effective password management includes:
1. Having a policy for using strong and unique passwords
2. Resetting passwords at regular intervals
3. Not writing down or sharing passwords between colleagues
4. Using password manager software that securely holds passwords digitally until you need them
5. Employing two-factor authentication on all business-related devices
6. Periodically reviewing password usage and policy to check that employees are following security instructions
Why do you need password management?
Implementing password management is critical for many enterprises. Employees are unlikely to take the necessary precautions if left to their own devices.
To Improve Password Strength
For instance, most employees do not use strong passwords – those that are at least 12
characters long and contain a mixture of letters, numbers, and symbols. The average
password is 9.6 characters and highly guessable because it contains real words, not
just random character strings.
To Cycle Employee Passwords Effectively
Many companies rightly believe that employees should cycle their passwords every few weeks to reduce the chance of a breach. However, when enterprises try to force the issue, they create problems. Employees often can’t consign their new passwords to memory easily so the business helpdesk becomes clogged with login issues. Workers also begin writing passwords down in their notebooks for future reference, instead of holding them invisibly in their minds, creating a security risk in the process.
Cycling passwords requires specialist tools, such as password vaults, to do it effectively. Without these, password changes can become a drain on enterprise resources and a significant security threat.
To Protect Against Phishing Attacks
Data suggest that around 88 percent of organizations experienced a phishing attack in 2019. And in many cases, the hackers were successful. They managed to lure employees to hand over login details to a third party, giving them access to the business network.
However, effective password management plans reduce the damage phishing does. For instance, if you have two-factor authentication as standard, it becomes much more difficult for any third-party to gain access to your systems, even if they manage to steal all your passwords. Combined with cybersecurity monitoring and secure storage, you can see login attempts that aren’t backed up by secondary authentication methods, alerting you to possible breaches.
To Reduce Helpdesk Spend
Password loss and retrieval services are expensive for business helpdesks. IT departments often find that they spend the majority of their time assisting employees with login issues, instead of actually working on projects to improve the strategic
position of the business.
Proper password management helps to streamline this process. It eliminates many of the causes of password loss while, at the same time, cutting the risk of a breach.
To Reduce Losses
According to data from SafeAtLast, the average cost of a ransomware attack is $133,000. Furthermore, the average cost of a malware attack is an astonishing $2.6 million. And data breaches cost an average of $2.35 million in 2020 for small companies (less than 500 employees in 2020).
Part of the rationale, therefore, for putting password management in place is to reduce losses. With so many companies hemorrhaging money and the cost of cybercrime rising all the time, enterprises need to plug holes in their security arrangements wherever and however, they can.
What is Identity Theft?
Poor passwords invariably lead to identity theft. Criminals targeting your organization often want to steal employees’ identities (and those of your customers) for financial gain. Once a hacker has password information, they can steal confidential data,
impersonate you or your customers, and even gain access to private bank accounts.
But how does it happen?
Well, in some cases, identity theft occurs after a hacker completes a successful data breach. Other breaches occur when employees begin insecure browsing (perhaps on Internet Explorer) or accidentally enter login details onto a site deliberately set up by hackers to capture personal information.
In many cases, password breaches occur as a consequence of phishing emails. Employees mistakenly believe they’re responding to legitimate requests for user information when, in reality, they are simply handing over their data to hackers.
Hackers will also take advantage of employee use of public WiFi networks. They will frequently “eavesdrop” on connections, looking for passwords or other data sent over the network they can use to their advantage.
Thus, organizations need to concern themselves with the issue of identity theft, especially now that more and more employees are connecting remotely, over the cloud. Firms often don’t know who is on their networks and the data they are accessing. And, furthermore, they don’t have systems in place to identify whether account access is legitimate.
Identity theft is a serious issue for many enterprises because of the damage that it does. Hackers posing as employees or customers can cause tremendous damage, steal vast sums of money, and hold firms to ransom. Preventing them, therefore, should be a top priority.
What are the 3 best practices for password management?
What can you actually do to stop hackers from stealing your passwords and causing a breach at your firm?
The answer is actually quite simple: employ password management best practices.
Here are our top three:
Use Passphrases And Not Passwords
Passwords are literally just a string of characters, all in a row. Passphrases, on the other hand, are much longer and contain spaces. So, for instance, “Password123” is a password but “My password is the best” is a passphrase.
Putting spaces between words in a password seems like a triviality, but it helps the people in your organization tremendously. A password like “40945thrf323e3$$£” is great for thwarting hackers. But it is a nightmare for employees to remember
(especially if you insist they change it every couple of months). Passphrases, on the other hand, are much simpler because they follow the linguistic conventions of everyday speech. In other words, they conform to the way workers are used to using language, not the way machines use it.
Passphrases also allow you to create increasingly complicated passwords. Most passwords top out at around 20 characters. But with a passphrase, you could create something utterly unguessable at 80 characters or more. Each time you add a character, the passphrase becomes exponentially harder to crack. By the time you
arrive at around 40 characters, the likelihood of anyone hitting on the right passphrase is essentially nil. Most password cracking tools generally top out at around 10 characters.
The trick with passphrases, of course, is to choose something unusual. You don’t want the hacker to be able to guess the password easily by using a mundane phrase like “David’s passphrase is the best.” You want something a little more enigmatic than that, like “Weeping willows make the otter play” – you get the idea.
Create A Password Blacklist
Here’s another great (and simple) idea you could try out in your organization: try making a password blacklist.
The concept behind this is simple. You create a digital system that prevents employees from entering easy-to-guess passwords that hackers could breach with conventional hacking tools.
The blacklist might contain passwords such as:
You might also ban things like passwords that contain references to the organization, employees’ friends and family names, and anything that contains what looks like a date of birth.
Improve Your Employee Authentication Protocol
Lastly, you should try to improve your employee’s authentication protocols. It’s relatively easy for hackers to breach an open account, but it is much more challenging to get into one that requires two-factor authentication. Not only do they need the password, but also the secondary device.
The concept of two-factor authentication is very simple. The idea is to confirm entry into your accounts via a second means associated with your digital identity. So, for instance, after an employee enters their password, they might get a prompt on their phone asking them to confirm that the login attempt is them. They may also have to enter a second, time-limited code or verify their identity in some other way.
Many companies take two-factor authentication very seriously indeed. For instance,cafter an employee enters their password, they might have to also confirm their information, either with a fingerprint or eye scan. They may also need a manager to manually grant them authority to log into a particular system with a time limit on their access.
Multi-factor authentication, therefore, makes intuitive sense. While hackers can quite easily breach one form of identification, it is much harder to get around two. If an employee accidentally leaves a laptop on the train to work, hackers won’t be able to get into it without the password. Likewise, if the hacker has the password but not the connected device required for two-factor authentication, they still can’t get into your systems.
There are, of course, many other ways to improve password management at your organization, including adding more security to your C-suite, training employees not to
respond to phishing attempts, and using password management software. But many of the most effective tactics are things that you can do right now.
Remember, you don’t actually need to use complicated biometric multi-factor authentication if you don’t want to. Just including two-factor authentication on employees’ smartphones can improve your security levels vastly.
You can also change your password policy to encourage users to adopt passphrases – a more human-centered and secure approach to traditional passwords. Once colleagues have something that they can remember more easily, they are more likely to cycle their passwords naturally.
Whatever you do, do not try to force password cycling. Doing so could lead to unintended consequences that actually increase the risks of a breach.
Don’t take chances with your password management. If you would like to learn more and improve your processes, get training from Simple Plan IT. We provide the knowledge and tools you need to sustain your own password management effort, instead of having to rely on third-party agencies