This post first appeared on Risk Management Magazine. Read the original article.
While certainly necessary, the use of passwords for account authentication is flawed. Think for a moment about the passwords you have set for the dozens of work and personal accounts you access every day. At least one password you use is likely derived from the name of a family member, pet, location or some other part of your personal life, and there is a very high chance that you use some of the same passwords across multiple accounts.
These strategies may make it easier for users to remember their countless passwords, but today’s hackers are highly capable of guessing and stealing credentials relatively easily or cracking them with automated brute force programs. Indeed, according to the latest Verizon Data Breach Investigations Report, 81% of hacking-related breaches last year leveraged stolen or weak passwords, a nearly 20% increase over the previous year.
The password problem is not just persisting, it is getting worse, and that translates into particularly high risk when it comes to privileged accounts within enterprises and the volumes of sensitive data that they manage. Fixing the problem will require the efforts of both individual users and IT security teams.
Starting with the individual users, it is critical to make employees more aware of the most common password mistakes and to ensure that the passwords they use are truly secure. The following considerations should be incorporated into employee education and policies:
While a password such as Secur!Ty123 may seem hack-proof, it uses some common conventions like an exclamation point in place of the letter “i” and a numerical sequence, which are not that difficult for a computer to eventually guess. Remember that size matters: The longer the password, the harder it is to crack. Using a string of random words to create a “passphrase” such as “swan windmill heartbeat soccer” rather than a shorter alphanumeric combination not only helps to create a more secure password, but also one that a user is actually more likely to remember. Regulators and standards organizations such as the U.S. National Institute of Standards and Technology (NIST) support the use of such passphrases and have recently started to encourage security administrators to allow at least 64 characters for account passwords.
Spread Out Special Characters
Most password fields require upper- and lower-case letters as well as numbers and symbols. While this is good practice, most people tend to capitalize the first letter of the password and just add a symbol or number to the end. Again, it is not hard to guess this kind of predictable behavior, reducing any benefit of adding special characters.
No More Password Churn
Not too long ago, conventional wisdom and regulators alike called for periodic password changes. Now, however, experts realize that changing your password regularly can lead to risky behavior, like making simple and predictable modifications to a previous password, using passwords that can be easily guessed, or reusing the same password for multiple accounts. Instead, users should select long passwords or, better yet, passphrases and change them less often.
Assume Nothing Is Private
Keeping track of numerous passwords is not easy and the natural inclination is often to write them down. You cannot assume, however, that passwords kept in a plain-text file will stay private. We saw the consequences of this with one of the most infamous hacks in recent years, when the Sony breach was linked back to a file directory named “Password.”
Pen and paper are more difficult to hack, but are still not foolproof. Instead of writing your passwords down, consider writing the name of the website, your login and a clue that will jog your memory.
A better option for handling this challenge is using a reputable password manager. There are plenty of free or low-cost tools that individuals can use to keep track of their unique passwords, and there are also enterprise-grade solutions that organizations can use to help employees manage internal passwords for administrative or privileged accounts.
Passwords Are Just the First Step
Even when all these tips are implemented, passwords are still only a first line of defense. Cybercriminals have a multitude of techniques that allow them to hack even the most secure account credentials, and a simple password will not address the overall authentication problem once they manage to get inside the system.
This is where IT security within an organization must step up with additional measures. If organizations want to mitigate the risk of a breach, they need to put into place multi-authentication, including technology that monitors behavior after the point of authentication where a user gets into the network. In other words, you have to assume that hackers are already inside the system and look for signs that can trigger an alert pointing to a malicious presence on the network.
Contextual and behavioral monitoring tools, for example, can take into account a user’s device, IP address, time of access, and previous interactions—even down to their typical keystroke and mouse movement patterns—to understand if the user’s activity is consistent with standard behavior. Using machine learning algorithms, these tools can help security teams to quickly identify compromised accounts or unauthorized account-sharing.
Both individuals and their organizations have a part to play when it comes to account security. For individual users, putting extra thought into the passwords they create can go a long way toward ensuring a strong first line of defense. From there, security administrators can add in-depth protection through a combination of password managers and continuous authentication. Together, these measures give users and organizations alike the best shot at reducing this critical risk to their personal and professional accounts so that they can better protect the entire enterprise from a costly data breach.