Top
image credit: Pexels

Password Hygiene: Strong Rules Any Company Should Follow

August 29, 2020

Category:

Remote workers use countless passwords for many daily activities and tasks. Since these passwords protect the organization’s most sensitive data, cybercriminals are always making efforts to capture, compromise, or gain access to corporate devices. Luckily, there are several password hygiene security protocols any company could follow.

Understanding How Passwords Can Be Compromised

Before learning how to create strong passwords you need to understand how credentials can be hacked. Understanding the password-cracking techniques hackers use is a great way to ensure it never happens to your employees. Let’s briefly go through the most common methods.

Phishing

One of the most common ways your passwords get exposed is phishing. A fake email leads the unsuspecting reader to a fake login page. The thought process is simple: why bother cracking the password when the user will happily give it away? 

Brute force attack

A brute force attack is when cybercriminals try an extensive list of possible passwords, such as words from a dictionary or based on relevant clues, to guess the right one. Brute force attacks require huge amounts of computing power. 

Credential stuffing

Credential stuffing is when attackers take a list of usernames and passwords from a data breach and try them against other services to determine if those passwords were used in more than one place. Have I been Pwned is a simple way of checking if a password you’re considering using has already been exposed in a hack.

Social engineering (shoulder surfing and phone scams)

Social engineering attacks rely on manipulation to trick users into making security mistakes or giving away sensitive information. Sometimes, all cybercriminals need to do to steal valuable credentials is to get close to one of your employees. This is called shoulder surfing and is more common in office buildings. Remote workers could receive a fake urgent phone call from someone pretending to be an IT employee asking for access to the system. 

Essential Password Hygiene Tips

Use multi-factor authentication

For an added layer of security, every organization should opt-in for multi-factor authentication. This way, even if a hacker does uncover a password, without the trusted device and the verification code, he won’t be able to access any sensitive data, while users can respond faster to any security challenge. Experts advise against receiving verification codes via text message and advocate for using authentication apps, such as Authy, Google Authenticator, or Microsoft Authenticator.

Use a good password manager 

Complex passwords or passphrases which combine uppercase letters, lowercase letters, numbers, and symbols can be very hard to remember. This is where password managers come in. A trusted automated password management tool can create and store strong, lengthy passwords. Moreover, you can enforce strong password policies across all your applications and systems. Recommended password managers in 2020: LastPass, 1Password, Dashlane, Keeper. 

Educate your staff on password safety 

First of all, ban common passwords and educate users to never re-use organization passwords anywhere else. According to Microsoft, the most important requirement when creating passwords is to ban the use of common passwords in order to reduce your organization’s susceptibility to brute force password attacks. Common user passwords include: abdcefg, poiuytreewq, password, monkey, 123456, qwerty, abc123, 111111.  

Another important message for your employees is to not re-use their organization passwords anywhere else. The use of organization passwords on external websites greatly increases the likelihood that cybercriminals will compromise these passwords.

Don’t update or change passwords often

Changing passwords every 60 or 90 days was a long-accepted practice, mainly because that was how long it took to crack a password. Nowadays, security experts recommend eliminating mandatory periodic password resets for user accounts. The reason is very simple: these requirements make users select easy-to-remember and predictable passwords, composed of sequential words and numbers which are closely related to each other. Example: password1234, password4321, password9999, password0000, john1980, erika123456.   

The COVID-19 pandemic made working from home the norm for millions of workers all around the world. IT departments are now tasked with the extra burden of making sure all this remote access is secured. At first glance, setting a strong password policy might look complicated and confusing, but building a culture of security awareness within the organization should be a priority for everyone.