Though World Password Day (May 5) has come and gone, the need for strong password security is a year-long event.
Passwords remain one of the most used, most criticized, and least expensive security authentication methods available.
Though new data shows possible improvements in general password hygiene, there’s still plenty of room for growth.
So, what does it take to set your team up for success?
Let’s take a look at some of the key points to consider.
Major Password Problems
When we wrote about multi-factor authentication last year, we led off with: “You wouldn’t use your pet’s name for your password, right?”
Though it seems like a lighthearted jest at using “Buddy123” as your option of choice, it actually addresses a major problem with strong password security.
As it turns out, 39% of Americans really do use their pet’s name as part of their password – a number jumping to 50% among those aged 35-44
And, since 48% of pet owners post pictures and pet names on social media, attackers can quickly do a Google search for a user and have a great first guess about their password.
With 65% of users reusing the same password for multiple accounts, it’s a situation that can lead to big problems in a hurry.
Fortunately, it’s not all doom and gloom. The news does get better.
Surveys show approx. 72% of users know to reset passwords, while 73% enable multi-factor authentication (MFA) for their online accounts.
But, how many users perform strong password security for their work logins?
Sure, personal bank accounts are one thing, but when it comes to company resources, are they treating it with the same level of care?
For example, in a review of data breaches, researchers found reused passwords for 60% of users, while 70% of breached credentials appear to remain active.
And, for Fortune 1000 companies, the numbers are even worse, with 76% of employees reusing passwords.
Even if it’s unintentional, it’s the sort of behavior that still puts a business at risk.
Password Cracking
Unfortunately, even with good password hygiene, inherent weaknesses in password requirements can cause issues.
For example, the gold standard used to be an 8-character password with a mix of:
- Upper case letters
- Lower-case letters
- Numbers
- Special characters.
But, recent research shows this level of complexity only slows down attackers by no more than one hour.
Though only two years ago this used to take eight hours to crack, cloud computing now provides a turbo boost.
Now, for strong password security, professional organizations should require passwords of no less than 10 characters in length.
Of course, this obviously makes them harder to memorize. So, how can you help your team instead of driving them crazy?
Strong Password Security Help
Rather than requiring a long string of complicated numbers and symbols, you can adopt another approach. Simpler, yet still secure.
The National Institute of Standards and Technology (NIST) recommends adopting long passphrases of four or more random words for strong password security. Even looking around your living room or kitchen can provide all the inspiration you need (2bluepensbrokenTV3bottlesYankeesPic, for instance).
Passphrases have been found to be much easier to remember and take much longer to crack – even without complexity (special characters, etc.).
However, because dictionary attacks can crack shorter passphrases, so NIST also recommends using MFA as added insurance.
Another great option is the use of a password manager, which remove the fallibility of human memory while providing two strong additional benefits: sharing and resistance to phishing.
Many password managers provide options to share access, even without disclosing the password. Using this method allows the password owner to make changes when needed, track those to whom the password is shared, and revoke access as needed.
When it comes to phishing, many attackers attempt to trick users with website URL misspellings or character swaps, such as: “goog1e.com “or “micorsoft.co”.
While it’s easy to overlook such small details when you’re rushed by a deadline or exhausted by a long day of work, password managers cannot be fooled, and won’t be able to provide credentials to an incorrect URL.
New Technology to the Rescue?
Lately, there has been a push to adopt phone-based apps such as Google Authenticator or the Fast Identity Online (FIDO) passwordless sign-in standard.
Though these technologies can provide easy MFA for users through their cellphones, they might not be for everyone.
For example, Google Authenticator and other phone apps tend to be tied to the specific hardware, and need to be re-authenticated if the device is lost.
And, while FIDO technology is supposed to securely synchronize on a new device, this also suggests the technology may be susceptible to SIM-swap fraud. Here, an attacker fraudulently reroutes messages to a phone under their control.
While new software and tech might help bolster strong password security, you shouldn’t rely on them as foolproof answers.
When to Seek Help
Of course you want your business to stay safe and secure. As part of that, you need to help your team succeed, too.
Give them the tools they need to thrive, whether it’s a simple investment in training & education, or specialized software, such as a password manager.
The beautiful part of strong password security is that you only need to make a small investment to gain an outsized benefit.
For example, multi-factor authentication for Microsoft 365 is simply a matter of managing the settings. Similarly, the Google or Microsoft authenticator apps can be downloaded from the Apple or Android app stores for free, and can be used with any compatible application.
Navigating settings and authentication options can be confusing, but help is always available.
If you’re looking for help with password security, or any other IT concerns, just contact Ideal Integrations at 412-349-6680, or fill out the form below. Our experts can provide a no-obligation consultation on how small changes can make a big difference for your business.