October is Cybersecurity Awareness Month! Throughout the month we’ll explore crucial aspects of online safety, including password best practices, phishing awareness, multi-factor authentication, and more!
In this blog we’ll focus on the importance of strong password habits that are essential to safeguard confidential data, secure communications, and prevent cyber-attacks.
Shockingly, two out of every five individuals have fallen victim to identity theft, password breaches, and compromised sensitive information due to weak passwords.
Passwords play a pivotal role in protecting one’s digital identity. Despite the increasing awareness of security risks, many still choose from a limited list of common passwords. As our society increasingly operates online, the importance of robust password security cannot be overstated.
Password statistics that should influence your online habits:
- Half of all individuals use the same password for multiple logins.
- Nearly 60% of Americans use easily guessable passwords such as names or family members’ birthdays.
- A staggering 60% of employees use identical password for both work personal applications.
- A whopping 61% of breaches result from compromised credentials – the most common cause of malicious attacks.
- Over two-thirds of Americans reuse the same password across different online accounts.
Adhering to the National Institute of Standards and Technology (NIST) guidelines for passwords ensures passwords will be tough to crack and easy to use. The responsibility for enhancing your online security lies with you – the password owner. You can begin by implementing the guidelines below.
General Guidelines to Follow:
NIST guidelines call for an eight-characters minimum length password, with a maximum limit of 64 characters. Encourage the user to make their passwords as long as possible, within reason.
Password length is a primary factor characterized as password strength. Passwords that are too short can be compromised with a brute force attack and dictionary attack using words and commonly chosen passwords.
Incorporating unique characters and numbers increases password complexity. However, this often leads users to create predictable variations. Users are encouraged to use longer passwords as they provide a higher level of protection.
For an example, a user that may have used “muppets” as their password. The user is likely to choose “Muppets1” if they are required to include an uppercase letter and a number. Additionally, if the user must also add a symbol, the user may use “Muppets1#”.
When passwords are rejected based on complex requirements, many users become frustrated and input a password that is unsecured and straightforward.
NIST guidelines state that periodic password-change requirements should be removed. NIST recommends that businesses enforce password expiration and password resets only when a known compromise has occurred, or every 365 days.
Frequent password changes can make security worse. Users tend to make minor modifications or reuse previous passwords. It’s suggested to change passwords only when necessary, such as when two-factor authentication is not enabled, or if there’s a security concern.
Studies show that 53% of people rely on their memories to handle passwords. Never write down a password. If you feel you cannot recall a password, consider leveraging a password manager to store and generate secure passwords.
Companies can provide password managers to minimize human error and deliver an auto-generation of a password based on standard methods.
We suggest allowing copy and paste functions within password fields to reduce mistakes and the time required for multi-factor authentication, which may be leveraged within a password manager.
Lock After Multiple Attempts
NIST guidelines suggest no more than 100 incorrect attempts, but best practice is around 5 attempts.
Organizations are encouraged to implementing account lockouts after a limited number of incorrect password attempts.
Multi-Factor Authentication (MFA) is referred to as two-step verification or dual-factor authentication. MFA adds an extra layer of security by requiring a second form of verification, such as an email, text message, face scan, etc. Leveraging MFA authentication allows users to know when their password is being applied to an account. Think of multi-factor as a type of guardian.
When available or as a third-party application, multi-factor authentication implementation is considered best practice in this digital era in which we live today.
Users are encouraged to regularly check passwords against commonly used lists to prevent weak choices. Some passwords are in a compromised state before they are even created. This can prevent the use of sequential strings like “123456” and common words like “password.”
NIST’s password guidelines are updated regularly and evolve with our ever-changing cyber landscape, ensuring that password security no longer remains a weak link for your organization.
Passwords and identity management are a critical part of protecting our resources. 90% of Internet users are concerned about having their passwords compromised. So, to celebrate Cybersecurity Month, we suggest taking a few minutes to strengthen your security measures and ensure you’re following best practice when it comes to password security.
IT Security is evolving towards passwordless authentication to replace traditional passwords with user-friendly authentication methods and/or devices. This transformation offers organizations the advantage of enhanced convenience and usability without compromising security. Passwordless authentication assures identity through biometrics, security keys, or mobile devices. This approach streamlines the login process, alleviates administrative overhead, and reduces security risks for enterprises, ultimately instilling user trust. Consequently, businesses stand to gain various benefits, including an improved user experience, reduced IT expenses and time commitments, fortified security posture, and reduced help desk costs and user frustrations associated with frequent password resets.
Contact EDCi today to develop your passwordless strategy and enhance your security posture.
Sources: (Web Tribunal, Lastpass, NordPass, Dataprot, Digital Guardian, Secure Data Recovery, DHS.org)