It’s a never-ending battle: Hackers relentlessly look for a way into your digital house, you work overtime, boarding up the windows. Meanwhile, your employees stand in the threshold graciously offering their up their keys.
We know employees are the primary cause of data breaches—and that login credentials are almost always employed at some phase of a malicious campaign.
Where are we going wrong?
Certainly, passwords like 123456, qwerty, password, and mynoob aren’t helping matters. What’s more, many organizations are blowing it when it comes to basic password security practices.
Yes, we’re seeing a shift toward biometrics, facial recognition, and hardware authentication—but it will be a few years before passwords are a thing of the past.
Until then, we need to do a better job of locking up the front door with the tools and best practices currently at our disposal.
Update your password policy
The days of complex password composition and regular, mandatory password updates is over. Research has shown these requirements result in passwords that are easier to remember—and less secure.
Instead, encourage your end users to employ long, easy to remember passwords—at least eight characters long—though 12 or more is optimal. (You might even have them self-evaluate the strength of their passwords with a tool like Gibson Research Corporation’s Interactive Brute Force Password “Search Space” Calculator.)
Then, scan those passwords to ensure they’re not leveraging those that are blacklisted because they’re either too common, too easily guessed, or have already been compromised.
We also recommend you:
- Prohibit password and account sharing
- Allow end users to securely record and store their passwords
- Prohibit the use of a single password across multiple websites or applications
- Don’t allow employees to use personal passwords for work accounts
Furthermore, when it comes to system administrators, we suggest you adopt the following best practices, as well:
- Require multifactor authentication when accessing networks remotely
- Require system admins to use different passwords for administrative accounts and non-administrative accounts
- Never allow the use of default admin passwords
- Encourage the use of password managers
You, no doubt, have been using a password manager for sometime. Still, we’re constantly dumbfounded by how many end users have not only not tried them—but have flat-out never heard of them.
Guide them down that path—and be sure to drive home the user benefits that might encourage your less tech-savvy employees to embrace what might otherwise be a scary idea.
For starters, let them know that a password manager can help them prevent unauthorized access to not only their work accounts, but to their banking, personal email, and online shopping accounts, too.
Let them know they can:
- Store all of their passwords in a single place – personal and business – and only ever have to remember a single master password
- Ensure all of their passwords are protected by encryption
- Eliminate any password security guesswork with auto-generated, highly-secure passwords
- Autofill login credentials and web forms with stored and encrypted personal and financial data
Want to vet your current options? CSO offers insight into the top password managers currently on the market.
Require multifactor authentication
Two-factor authentication isn’t a magic bullet, as some seem to believe. Sophisticated attackers can intercept tokens shared via insecure methods, for example. That said, whether you require tokens and codes, employ more advanced biometrics and behavior-based authentication methods, or leverage contextual authentication factors, like GPS location, IP address, and device—every added authentication factor helps make it more difficult for a hacker to crack your code.
As you evaluate your options, we encourage you to dig into the NIST Digital Identity Guidelines so that you can make the informed security decisions that are best for your organization.
Make phishing training regular and mandatory
While creating more secure passwords is an important step, ensuring your end users don’t get suckered into giving them away is critical.
And, as phishing campaigns grow more sophisticated, identifying real login screens and customer service emails from fake can be tricky. Just take this recent Netflix phishing email and Apple login vulnerability, for example.
Deny cybercriminals their payday
No matter who you are, you’re under fire. Hackers simply don’t know an organization too big to crack or too small to warrant their time.
So, employ these password security tips. When you do, you’ll lock up your data house tight.
The art of the scam is nothing new. While ransomware attacks now fuel a continuous stream of breaking news, we only have to think back to the many distraught Nigerian princes—all who suffered the loss of their uncles and were desperate to find safe places to stash their unexpected inheritances—to remember how long these “spray…
If the ransomware threat wasn’t already keeping you up at night, surely the attack on Atlanta has left you questioning the strength of your cyber defenses and disaster recovery. Now, it should be abundantly clear to all who work in local government that you are under attack. And, it’s up to you to ensure critical…
Once again, cyber attackers are proving no one is safe from a ransomware attack. This time, it’s the City of Atlanta that has fallen victim. So, what do we know? Experts suggest Atlanta may have been infected by a variant of SamSam ransomware; the same family deployed against governments and hospitals since 2015. In this…
Like a terrible foot fungus, and not nearly as pleasant, SamSam ransomware just won’t go away. This customized ransomware strain first entered the scene in 2016 and, today, it’s powering the types of targeted cyber attacks that should give all of us pause—especially those in the healthcare industry. Just consider this: In the past three…