By Dan Conrad, Security team lead at One Identity
It is not a secret that passwords are not a particularly secure method of protection, furthermore in a world where multifactor authentication is becoming the norm, talking about password hygiene seems a little dated but still, according to the Verizon 2021 Data Breach Investigations Report, credentials are the route to data breaches in 61% of incidents.
In an ideal world, and increasingly in reality, any system or application that contains critical information such as banking information, healthcare, or corporate enterprise intellectual property are protected with multifactor. For those systems that are not, such as smaller non-critical businesses, or personal online accounts, good password hygiene is still very important.
A few years back, I received an opportunity to comment on an Instagram customer account breach where the attacker had gained access to some usernames and passwords. My first thought was…. “This is pointless.” Why do we care if a portion of the Instagram population has their usernames and passwords compromised? What could possibly happen? Then it occurred to me that most people reuse passwords. So, the same username or email address may be tied to a personal banking account or even a corporate/work system with intellectual property, VPN access, or even an Active Directory credential.
Therefore, it’s important to remember these password basics to ensure your personal and corporate data secured:
Tip #1: Never reuse passwords, or derivatives of the same password.
The concept of frequently changing passwords is fading. Many systems no longer require frequent changes, due to passwords becoming less and less frequently used. However, just because these systems have stopped mandating password changes, this does not mean that you have carte blanche when it comes to password use.
While cycling passwords or single-use passwords is very valuable with highly privileged accounts, the value of constantly cycling a standard user password is much less if a complex password is used initially.
Tip #2: Use complex passwords with at least eight characters.
I personally use a password manager that will store and inject passwords. There are many good ones on the market but be sure to protect this personal password vault with multifactor authentication. With this system, I can set it to create passwords for up to 99 characters. Remember that you may have to physically type one of these passwords at some point so selecting 99 characters, which is highly secure from password crackers, may be terribly inconvenient. I’ve learned this from experience.
It’s important to strike the appropriate balance when it comes to passwords; they need to be secure but making them so secure that they render the account in question virtually inaccessible should not be the aim of any password manager.
Tip #3: Given the option – use a strong password and multifactor authentication.
Multi-factor authentication is a massively important tool in double-stamping the security of your passwords. However, they are not a silver bullet. Don’t expect multifactor to protect your account when you use “Password1” as your password. If the initial password is weak, this will simply encourage attackers. The account will be subjected to more attacks, so you have made the decision to leave the first security door unlocked. The best advice I can give is to use an 8+ character password AND multifactor authentication.
From the perspective of protecting the corporate enterprise and users with authentication, passwords and proper selection/use are a key element. Users can look at their authentication/credentials as the keys to the building. You wouldn’t share the key with anyone, and you should be very concerned about someone taking your keys, whether with malicious intent or not.
We all need to do better. Sadly, the days of reading your username and password over the phone are not quite behind us yet. Even sending them across supposedly encrypted services like WhatsApp isn’t advisable. These practices would undoubtedly be against corporate security policies – and if they are not, they should be.
In conclusion if you want to make sure employees don’t do this sort of thing, use multifactor for ALL of your user authentication needs.