92% of UK businesses experienced a cyberattack in the last 12 months
(Keeper 2021 UK Cybersecurity Census)
In this age of hacking and cyber-terrorism, your company's data is a target. And it doesn't take much for a hacker to break into a network and wreak havoc. The stakes are high. What do you need to know about password security?
This blog post will cover (almost) everything that those with responsibility for IT should know about passwords - from the basics to the latest trends in protection. We'll give you all the information necessary so that you can make informed decisions when it comes to protecting your company's assets from hackers and other threats.
While this guide is aimed at those responsible for an organization’s IT security, it’ll hopefully be useful to anyone interested in password security or those just trying to understand why so much emphasis is put on their company’s IT security policy.
23,000,000 account-holders in the UK use the password “123456”
(Nord Pass, 2020)
65% of UK businesses relaxed their cybersecurity polices during the pandemic
Keeper 2021 UK Cybersecurity Census
Hopefully, this will be pretty obvious, so I won’t go on about it, but it can’t hurt to briefly run through it again.
Passwords have been with us for a very long time and will likely be with us for quite a while longer. Despite their obvious flaws, they’re still ubiquitous.
Passwords and usernames/email addresses (credentials) are often the first line of defense between your organization’s sensitive data and the army of cyber-criminals trying to access it.
Gaining access to precious corporate data using credentials found via social engineering (mechanisms such as phishing and smishing) is still the most common cause of data breaches.
The risks to your organization of a data breach are not only related to the sensitivity of your data if it gets into the wrong hands. With the rise of ransomware, you also need to consider the implications of losing access to your own data.
Weak passwords and poor password security can effectively leave the door open to cyber-criminals, so if IT security is your responsibility, you can’t really afford to ignore it! It’s also one of the simplest things to fix in the often highly complex world of IT security.
It takes less than a second to crack 8 of the top 10 most used passwords
(Nord Pass, 2020)
29% of adults worldwide rotate between 5 and 10 different passwords
(Proofpoint, 2020)
There are lots of ways to increase the password security of your organization. Some of them require quite a bit of technical knowledge to implement, but there are also some pretty simple ones too. Most of them are relatively cheap to implement, at least compared to the potential cost of a security breach!
A relatively fundamental thing is to first understand what makes a good password.
A strong password follows a couple of simple rules. It should:
A password of 15 numbers can be cracked in around 6 hours.
(howsecureismypassword.net)
A minimum of 16 characters is usually recommended for a secure password which should take at least 2 days to crack in a brute-force attack. If it contains a mix of upper and lowercase letters, numbers, and symbols, it’ll take up to 1 trillion years!
Ideally, the restrictions placed on a password should be flexible enough to accommodate different types of passwords. For example, some people may find a password made up of a few random words easier to remember than a much shorter string of random characters. If a password is of significant length, the use of special characters becomes less relevant. An 18-character password of just lowercase letters will take around 23 million years to crack!
All of this may not seem relevant if you are going to implement a password manager but remember, each user will still need a secure master password.
Data from https://howsecureismypassword.net/
“password” is the 4th most common password used
(Nord Pass 2020)
16% of adults worldwide use the same one or two passwords for all accounts
(Proofpoint, 2020)
In case you’re not aware, password managers are SaaS products that manage the ever-increasing list of credentials most of us use in our working (and personal) lives.
When it comes to password managers, something is better than nothing. A basic password manager will mean that you don’t have to remember your credentials, and in-built password generators can easily generate new secure passwords when required.
These days they will also often tell you if your credentials have been leaked in a security breach and prompt you to change the related password.
There are plenty of password management options out there, but they generally fall into two categories:
Although browser-based password managers are improving, they generally don’t have a lot of the really useful features of many 3rd party products.
They often have significant disadvantages over 3rd party products, such as the fact that they lock you into a particular browser. If you regularly switch browsers, for example, if you use Chrome on Windows and Safari on your iPhone, this kind of solution probably won’t work for you.
There are other features that you usually miss out on when using a browser-based password manager, which are covered in the next section:
Cross-platform and browser
If you're going to use a password manager, you really want one you can use across all your devices. It's a pain finding you've generated a highly secure, random password, saved it to your password manager but can't access it on your phone!
Ability to share passwords
Despite it generally being bad practice, it may be necessary to have some passwords which are shared. For instance, passwords for emergency accounts. Password managers often come with the ability to share credentials between accounts, often without even revealing the password to the person you're sharing it with, maintaining security.
Auditable
Many of these platforms allow managers to audit their team's use of the software, seeing if they're re-using passwords, have insecure passwords, or even if they're not using the software at all!
Enforcement policies/rules
Many rules can be specified which maintain a level of security. For example, prohibiting exporting data, re-using master passwords, or requiring a unique master password.
Share credentials across sites
Credentials that are used across multiple sites can have their credentials easily shared without creating duplicates.
Add notes
It may be useful to be able to add notes to accounts, for instance, if an account requires a password that needs to be quoted over the phone.
One-click change of credentials
Some password managers allow the credentials for specific sites to be changed with a single click.
NOTE: It’s worth mentioning that a password manager is only as secure as the master password used to access it. So, it’s really important that if your organization uses a password management solution, you set out some clear rules around master passwords, or even better, set up rules to enforce those policies.
These should include policies like:
In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.
20% of remote workers in the UK use their work email and password to log into consumer websites and apps
(Proofpoint, 2020)
This is the second most important step in securing your users’ logins and is usually pretty simple to implement. It’s also sometimes referred to as two-factor authentication (2FA).
The way this works is by requiring at least two authentication mechanisms (factors) before granting access to a resource. This means the user must be in possession of not just the relevant credentials but also another piece of information that is not easily accessed.
Username/password credentials are usually the first factor, and the 2nd factor can be one of a few things. The most common 2nd factors are:
A lot of security-conscious software will have MFA built-in these days. In some cases, it’ll just be a matter of turning on this feature. However, it’s becoming more common to have this feature turned on by default or even mandatory, given how much additional protection it can provide.
MFA setup can be more complicated depending upon the types of factors supported. Some users can also find It a bit of a pain as it can require registering a separate device and can often increase the time it takes to log in to a system. However, given the significantly increased level of security and peace of mind MFA can provide to those with responsibility for an organization’s security, it’s often worth the trouble.
88% of consumers across the world use the same password for more than one account
(Auth0, 2021)
Single sign-on (SSO) enables your users to use a single password to access multiple accounts.
The primary benefit of SSO to your users is that the number of credentials they need is reduced. There are also multiple benefits to your organization of this approach.
The idea is that you allow a single provider to manage the login for multiple systems. For example, if you use Microsoft Active Directory (AD), you can use this solution to grant your users access to other corporate resources. These can be any corporate resources that support SSO, such as Google, Apple, Salesforce, Zoom, and plenty of others.
This takes a bit of setting up, but once you get the hang of it, it’s not too difficult, and importantly it saves your users hassle and increases security.
An additional benefit of SSO is that if your user forgets their password or leaves, IT has a single place to reset the password or disable the user account.
Having a single mechanism of authentication for multiple systems also makes user onboarding and offboarding significantly simpler for obvious reasons.
“123456” is the most common password in use
(Nord Pass 2020)
The death of the password has been predicted from as far back as 2004 by Bill Gates, and it’s been predicted many times by many others since then.
However, it’s not until relatively recently that major authentication providers have embraced passwordless technologies.
Passwordless login is similar to MFA in the sense that it uses multiple factors to authenticate a user. The key difference is that it doesn’t require a password. It usually uses public-key cryptography to identify and authenticate a user. Basically, this means that the user provides their public identifier (email address, phone number, or username) and at least one other factor (containing their private key) to identify and authenticate them.
Significantly, in March 2021, Microsoft made passwordless sign-in generally available to commercial users. They have since (September 2021) made passwordless sign-in generally available to all users.
This may well signal the beginning of the end of the road for passwords; we’ll have to wait and see! Either way, passwords will certainly be with us for a while longer.
64% of UK organisations that have experienced a cyberattack in the last 12 months have between 1 and 100 employees
(Keeper 2021 UK Cybersecurity Census)