Often in business we talk about targeting the low hanging fruit or quick wins. Basically, opportunities where you’ll get worthwhile returns for minimal comparative effort. Having a strong password policy is such a case. Despite this, many companies continue to follow outdated or inadequate protocols that expose them to significant risk.
To quote Verizon’s 2020 Data Breach Investigations Report, compromised or weak passwords were responsible for 35% of all breaches. Whereas their 2021 report again confirms that 85% of breaches involved a human element.
With people continuing to work from home, your “threat surface” is extended which makes it more important than ever to review and update your password policies.
Get started with this list of 8 best practices:
1. More focus on increased password length over password complexity
The thinking used to be that more complex passwords that extend beyond the alphabet would be more difficult to hack. But with us all using similar strategies these patterns once again become easy for hackers to recognise and take advantage of. For instance, using a zero instead of an “O”, an @ instead of an “A”, or a numeral at the end of your password that we increase by one with each subsequent password update!
While it is still recommended to use at least 8 digits, but try using password phrases instead. Not only are these harder to hack, but they’re also easier to remember!
2. Employing a “deny list” of unacceptable passwords
By employing deny lists, you’re immediately removing the temptation to use some of the most used passwords like “12345” or “password”. And you don’t have to start from scratch. There are existing lists which include common words, competitive strings, and keyboard-adjacent sequences which you can use if your authentication system allows. Remember, hackers use these lists too, so why give them the head start?
3. Never reusing passwords across sites and services
This one speaks for itself. With so many passwords to remember, the temptation to just use the same username and password across multiple personal and business-related platforms is unavoidable. But with this being the case, once a hacker has access to these credentials it makes it easy for them to apply these to multiple platforms with increasing success.
4. Eliminating regularly scheduled password resets
Again, the human factor is at play here. We all suffer from password fatigue and with that the temptation to use just minor changes to our current passwords with each subsequent (and often forced) password update.
It may be more beneficial to implement password resets at critical times such as when there’s a suspected breach or change in role or privileges. If you retain regular password updates, consider including ‘similarity’ and ‘history’ in your password validation process.
5. Allowing password “copy and paste”
The old thinking was that passwords that have been copied and pasted run the risk of being hacked from “paste buffers”. But the unintended consequence of avoiding this is that we end up writing down our passwords! By removing this restriction, you enable the user to explore longer or more complex passwords and more freely use password managers. As with so many other things, the simpler it is to do something, the more people will do it. So, let’s make life easier (within reason) for our users.
6. Time-outs on failed password attempts
Implementing restriction on failed password attempts helps to thwart brute force attacks. There are different ways to implement these restrictions, whether you limit the number of attempts per device or address and different degrees of limitation possibly implemented in stages. However, it’s worth considering the result of failed attempts being an account lock. It should serve as an immediate security barrier, trigger an alert to your IT staff (especially if it’s not an isolated incident) and send a not-so-subtle message to the user about their password management.
7. Not using password hints
When you’ve been prompted by hints, how many of these asked for your mother’s maiden name? Or the first street you lived in? Maybe the first car you owned?
Now think of all the potential overshares via social media quizzes or similar (not you of course). Enough said on this one.
8. Using Multi-Factor Authentication (MFA)
MFA uses a combination of at least two different authentication methods. Typically, these could include something you:
- know – a password, PIN, or secret answer to a question
- have – a smartcard, physical token, or mobile device
- are – retinal scan, fingerprint, voice, or facial recognition
With the advances in and prevalence of technology and devices this is becoming easier to implement and worth considering. According to Microsoft estimates in 2019, MFA can block 99.9% of account compromise attacks.
To wrap up
The list above includes recommendation from NIST in the US and echoes what we believe is applicable best practice in SA.
Inspired? We hope so. But once you’ve updated your necessary policies, remember to take your staff on the journey too. Ensure you educate them on how to create strong passwords as well as the negative implications that non-compliance have for your business. Make it real for them.
All a little too much? Give us a call. We’d be happy to discuss this and any other IT or Cyber Security requirements you may have.
For more information on our business, team and services please visit www.businesstechnology.co.za
Doing business better. Together.