This year, Verizon outlined in its annual Data Breach Investigations Report that 81 percent of hacking-related data breaches involved either stolen or weak passwords. This means that password protection is a real pain in the neck for security officers at enterprises. They can’t be complacent about the processes and controls they rely on for password management as cyber criminals are continuously improving their hacking strategies. Here is a list of 10 password protection best practices that will help enterprises (or anyone, really) strengthen their security against current threats.
Adopt Long Passphrases
For years, businesses and individuals have adopted the practice of combining numbers and symbols to create stronger passwords. However, it didn’t take long for cyber criminals to catch on to the practice of substituting some letters in the word with certain numbers or symbols, like ‘e’ with ‘3’ and ‘s’ with ‘$’. There are many automated tools out there that will easily crack simple substitutions like that. Moreover, users often have to memorize dozens of difficult passwords, so most people just prefer letting browsers remember them. All these practices put password security at risk and make the passwords—stronger or not—ineffective.
To mix things up even more than substituting special characters, the US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember but difficult to crack. According to Special Publication 800-63 Digital Identity Guidelines, a best practice is to create passwords of up to 64 characters including spaces. The popular web comic XKCD compared the strength of a complex password—”Tr0ub4dor&3”—and a long passphrase—“correct horse battery staple”. They found that it took only 3 days to guess the password created in with special character substitutions, while the passphrase would take 550 years to crack.
Avoid Periodic Changes
A popular password security practice over the years has been to force users to change passwords periodically—every 90 days, or 180 days, or whatever frequency you choose. However, more recent guidance from NIST advises not to use a mandatory policy of password changes. One reason is that users tend to transform their old passwords or just repeat ones they had used before. You can implement policies to prevent password re-use, but users will still find creative ways around it. The other consequence of frequent password changes is that users are more likely to write the passwords down to keep track of them. While they comply with company policy, their passwords are still easy to guess or crack. Thus, a best practice from NIST is to ask employees for password change only in case of potential threat or compromise.
Create Password Blacklist
Hackers usually start their attacks with attempts to guess a password by using a database of the most popular passwords, dictionary words, or passwords that have already been cracked. NIST encourages enterprises to also arm themselves with these sources of common passwords in order to create their own blacklist. Comparing new passwords to this list, enterprises can prevent the usage of weak passwords by employees. Moreover, it is quite effective to add a limit on the number of failed login attempts in order to detect and reject brute force or dictionary attacks.
Implement Two-Factor Authentication
Two-factor authentication has already become a de facto standard for managing access to corporate servers. In addition to traditional credentials like username and password, users have to confirm their identity with one-time code sent to their mobile device or using a personalized USB token. The idea is that with two-factor (or multi-factor if you want to add additional factors) authentication, guessing or cracking the password alone is not enough for an attacker to gain access. This type of authentication is effective for enhancing identity validation when employees try to access critical endpoints, sensitive data, or confirm transactions and other critical actions. For these purposes, you can use user monitoring solutions like Ekran System with in-built two-factor authentication options. Such solutions will also keep you updated about user’s activity on your business network.
Add Advanced Authentication Methods
While passwords are still widely used for authorization, there is an increasing tendency to shift to non-password based, advanced methods. Instead of passwords, users can be authenticated through the use of biometric verification—like logging in to an iPhone using a thumb print with Touch ID or authenticating on a Windows 10 PC just by looking at it with Windows Hello facial recognition. This method allows the system to identify employees by recognizing their faces, fingerprints, voices, irises, or heartbeats. Moreover, there are also behavioral biometrics that create a unique profile of each user by analyzing their interactions with the system (typically used applications, unique keystroke and mouse dynamics).
Apply Password Encryption
Encryption provides additional protection for passwords even if they are stolen by cyber criminals. There is a popular tendency to use reversible encryption or apply only one-way encryption. However, these methods are ineffective—if an attacker obtains the password database they can easily crack and compromise the passwords it contains. Instead, the best practice is to consider end-to-end encryption that is non-reversible. In this way, you can protect passwords in transit over the network. Moreover, it’s dangerous to store password files in a plain text. There are many cases where hackers have compromised an enterprise’s password database and walked away with a treasure trove of unencrypted passwords.
Protect Accounts of Privileged Users
Accounts of privileged users require additional protection as they provide access to sensitive data and other privileged actions. The best practice is to provide these users with a different login URL and allow only a single sign-on attempt. In case of a failed login attempt, you can lock out a privileged account in order to prevent unauthorized access.
Ensure Secure Connection
Nowadays, there is a wide range of devices and places that can provide access to your corporate networks. However, hackers can easily steal passwords if employees use unsecured Wi-Fi connections or devices that don’t belong to them. For securing your Wi-Fi network, you can use a Wi-Fi Protected Access (WPA) 2 that applies stronger wireless encryption methods than its predecessor.
If you have remote workers, you can consider providing a secure VPN connection. After authentication to which, users can securely connect to corporate servers, as all the traffic is protected through a VPN tunnel.
Incorporate Continuous Backups
If hackers compromise your privileged accounts, there is a high risk that you may lose some portion of your corporate data. To avoid this, it is reasonable to incorporate continuous backups of sensitive information. The frequency of backups can vary as every enterprise is different. You can set up data backups on a daily or weekly basis. Just find the most appropriate frequency to your company and stick to it.
Arrange Regular Employee Training
To understand the importance of regular employee training, consider that nearly 41 percent of company data leaks occurred because of negligent or untrained workers who opened phishing emails. It’s important to train employees to detect and avoid phishing and other social media attacks. Explain how criminals may use social engineering for cracking passwords and encourage employees to avoid sharing information that could be exploited for attacks. Moreover, inform your staff about a contrast shift of NIST guidelines from commonplace password practices. Encourage your employees to use long passphrases instead of complex passwords and change passwords only in case of necessity.
Stolen or weak passwords are still the most common reason for data breaches, so enterprises should pay very close attention to password security policies and password management. With these best practices, you can create an effective password security policy and provide stronger protection against unauthorized access.