- Weak passwords are a leading cause of cyber breaches, contributing to 86% of incidents.
- Strong password policies and practices significantly reduce the risk of attacks.
- Implementing additional measures like multifactor authentication (MFA) and password managers enhances security.
After covering the importance of unique usernames in yesterday's blog, we would be remiss not to take a look at the second half of most login credentials: passwords.
These are important because, despite increasingly sophisticated cybersecurity technologies and methodologies, 86% of breaches still involve stolen credentials.
While poor password management remains a risk for all organizations, businesses can mitigate this risk by requiring employees to have strong, hard-to-crack passwords on all corporate devices.
The Risks of Weak Passwords
Passwords are highly susceptible to hackers because they are inherently vulnerable. People often choose weak, easily guessable passwords or reuse them across multiple accounts, making it simpler for hackers to gain unauthorized access using various techniques such as brute force attacks, phishing, or social engineering.
Hackers can also guess or reset passwords using the vast amounts of personally identifiable information (PII) available online. Once compromised, stolen credentials provide the easiest pathway for hackers to infiltrate systems. If users reuse passwords across multiple accounts, malicious actors can exploit this weakness to cause even greater damage.
Passwords are the most common form of authentication; once a hacker has a valid username and password combination, they can bypass security measures, masquerade as legitimate users, and move laterally across systems, gaining unrestricted access to sensitive data. The simplicity of exploiting human negligence or oversight in password security makes stolen credentials a highly effective tool for hackers, posing severe risks to personal and organizational security.
Best Practices for Creating Strong Passwords
Although passwords are inherently vulnerable, strengthening them can contribute to a robust security posture. At an organizational level, strong password policies provide employees with clear instructions on password length, complexity, and expiration guidelines. It’s essential for users to consistently follow these instructions and understand their importance in maintaining cybersecurity.
Complex passwords are the first step in safeguarding accounts against brute force attacks, where threat actors use computing power to systematically check all possible password combinations. Simple passwords are particularly vulnerable to these attacks, especially if there is no limit on login attempts. Longer and more complex passwords, combined with security measures like account lockout after multiple failed attempts, significantly reduce the risk of successful brute force attacks.
Complex passwords should use a mix of uppercase and lowercase letters, numbers, and symbols. This significantly increases the number of possible combinations, making it much harder for attackers to guess passwords. To create a complex password, employees should use at least 12 characters of various types, avoid common words and sequences, and never include easily accessible personal information such as a child’s or pet’s name.
Another effective alternative is using passphrases, which are similar to passwords but longer and easier to remember. Passphrases typically consist of multiple words strung together, often including spaces or special characters. A good passphrase should be long, memorable, and unique. Their length and complexity make them more secure than traditional passwords while remaining easy for users to recall.
Additional Security Measures to Strengthen Password Protection
Employees should change their passwords every 60 to 90 days. These should be unique rather than slight variations of previous passwords, and old passwords should never be reused. It’s also essential to create unique passwords for each service and platform. Using the same password across multiple accounts puts all accounts at risk.
Threat actors operate under the assumption that many users reuse their login credentials on multiple sites. Credential stuffing is an automated process that attempts to compromise credentials across various websites and services to gain unauthorized access.
Organizations should implement multifactor authentication (MFA) to prevent credential-stuffing attacks. MFA adds an extra layer of security by requiring at least two forms of verification before granting access to an account, ensuring that even if a password is compromised, unauthorized users cannot gain access without the second factor.
Secure technology is available to support good password habits. Complex passwords can be difficult to remember, especially when they need to be changed frequently. The solution is a password manager, which generates unique passwords for every account and securely encrypts them. This minimizes the risk of using weak or repeated passwords and ensures that employees only need to remember one strong master password.
Strong password practices are a crucial first line of defense against threat actors and the foundation of a cybersecurity-aware culture. To strengthen good password hygiene even further, organizations should use services that monitor and alert if employee credentials have been exposed in a data breach. This allows users to change their passwords before attackers can exploit stolen information.
A version of this blog originally appeared on IT WIRE.
