Do you know the most common and least secure passwords? According to Forbes the top 10 offenders from a 2019 study include password, 123456 (and other longer variations), test1, and qwerty. While you might think no one in your company is using a weak password, studies show you may be wrong. And it’s not just the “password1” violations that need to concern you. Forbes also reports a finding that Microsoft users were using passwords already known to have been compromised in a breach. As the password landscape becomes more complex—and the stakes even higher—you need to know the best practices for avoiding password security issues and improving security hygiene.
1. Understand the State of Password Security Today
It’s been common sense for years that passwords matter—and yet, the studies above show that common sense may not be all that common. Before we dive into the most pressing issues and explore strategies for fixing them, let’s dig into the numbers behind today’s state of password security:
- Verizon found that 58% of data breaches exposed personal information.
- 555 million passwords have been sold on the dark web in the last three years, according to one expert.
- Google found that 65% of people reuse passwords across multiple—or even all—digital sites they access.
- A 2018 Verizon data breach study found that as many as 81% of data breaches involved password access.
2. Create a Comprehensive Strategy to Improve Basic Password Hygiene
Passwords can be a major security issue, so what can you do to reduce that risk? At an organizational level, consider using automated password rules to help you eliminate some of the common offenders. Considering starting with this collated list of the most common passwords, as found in multiple studies. Other best practices include:
- Disallowing words from the dictionary that can be quickly hacked by software used by cybercriminals.
- Requesting users not use personal information that could be gleaned from compromised personal data (such as a birthday) or from social media (think kids’ names, pets’ names, etc.).
- Requiring users include a mix of upper case, lower case, numbers, and random symbols.
- Using tools that prevent incrementing. Often, organizations require users to frequently update their password, and the easiest way to do that is incrementing—so Password1 becomes Password2.
- Relying on automation to prevent reuse of the last three to five passwords.
- Requiring passwords to have at least eight characters.
3. Watch as Password Advice Evolves
It used to be a password protection best practice to require users to update their passwords every few months. However, as password security tools have improved, many organizations have changed their guidance. Keep up to date about new tools that can help automate this process and simplify life for both IT teams and end users, or work with a partner like Connection who can connect you with those resources.
4. Educate Your Employees about Password Hygiene and Reuse Risk
Training is an essential component of improving the security of your network and eliminating the X-factor of human error. While many people have been impacted by data breaches, far fewer have stopped to think about the consequences. Educate your employees about how passwords can become compromised during data breaches and the fact that email addresses, names, and other data are often sold on the dark web in connection with passwords. By raising awareness, you can help employees pinpoint if this is an issue they need to be aware of.
5. Don’t Rely on Passwords Alone—Embrace 2FA or MFA
Passwords can be considered a first line of defense against data breaches and unauthorized access, but they shouldn’t be the only solution you rely on. Help improve overall security by also requiring two-factor authentication or multi-factor authentication to access your network or critical systems. While it can be seen by employees as a hassle, it can dramatically increase security and is quickly becoming best practice.
6. Move Toward Single Sign-On
Single Sign-On (SSO) solutions can help improve security—and employee sanity. CSO Online reports that employees working at a small- to medium-size business may have as many as 85 passwords to track across systems. Not only does this mean that passwords are likely to be variable in terms of their quality as per each system’s guidelines and restrictions, but it’s also going to create more opportunities for breach points. With SSO, security teams have greater control and visibility into login activity and can leverage automated network tools—such as SD-WAN solutions—to identify suspicious activity and prevent unauthorized access.
7. Use a Password Manager
It may not be practical—or desirable—to move toward Single Sign-On given your company’s IT infrastructure, goals, and objectives. However, there’s another option organizations can use. Consider investing in a password manager—Connection has partnerships with many companies and can help you find the best fit for your organization.
8. Include Passwords in Your Security Testing
Does your organization conduct security testing, such as checking employee compliance with email guidelines? It’s becoming increasingly prudent to implement periodic password checks in your security testing. In addition to the automated tools organizations use, running more advanced checks can help you root out problems and identify gaps to be shored up. Issues identified during these tests can be addressed directly with employees for speedy resolution and provide anonymous teaching opportunities for the larger company. In the ongoing fight to improve cybersecurity, password security, and overall password hygiene play a critical role in helping minimize threats. The risks—and the solutions—have evolved dramatically in the last two years. Do you need help navigating the world of tools and solutions to up-level your password security? Contact Connection today to discuss your needs and learn how a variety of solutions from cloud-based services with multi-factor authentication to password managers can help you end the year in a more secure position.