In honor of World Password Day on May 6th, we wanted to share some key background and behaviors on passwords. Passwords are often one of the greatest risks to most organizations. Passwords (also commonly called credentials) have become one of the primary targets of cyber attackers, especially attackers with more advanced skill sets or those who are attempting to persist long-term in a target organization’s environment.
The Key Lessons for Passwords We Recommend You Focus On
A great deal has changed in the past five years on best practices for passwords, to include password complexity being replaced with password length and discontinuing the policy and use of password expiration. One of the most effective ways to simplify passwords in your organization could begin with a review and update of your organization’s security policies and procedures concerning passwords.
Passphrases: Replace password complexity with password length whenever possible. Passphrases can be sentences or a series of random words that create long passwords that are both easier to remember and type.
Unique: Emphasize and train on the importance of every account (both work and personal) having a unique password for that account. This ensures that if one account is compromised, all other accounts are still secure.
Password Managers: If possible, encourage the use of password managers. Managing a long, unique password for each account is difficult for people, as many people can have over 100 passwords. The simpler we make a behavior, the more likely people will exhibit it. If your organization prohibits the use of password managers, keep in mind that people will still likely write their passwords down or use something like Google Docs or spreadsheets to manage all their passwords.
MFA: Whenever possible, people should enable Multi-Factor Authentication (commonly called Two-Factor Authentication or Two-Step Verification) for their work and personal accounts.
Strong, secure passwords are key to helping reduce risk to your organization and for people to protect themselves at home. However, in the past, security policies have traditionally made passwords both confusing and difficult. Now more than ever we need to equip our remote workforce with the right tools to defend themselves, and as a result, the organization, against evolving cybersecurity threats.