The security of an office building is only as good as the locks on its doors. The IT security for sensitive digital assets is only as good as the locks on user accounts.
While the importance of a good password protocol cannot be overstated, the fundamentals are straightforward. At a minimum:
#1 – Passwords should be unique.
Never re-use passwords or use one password for multiple accounts. This reduces the risk that a breach at one account will expose the access to another.
The reason is that even sophisticated web developers make mistakes that could allow hackers to learn a password. For example, Facebook stored hundreds of millions of user passwords in plain text for years. In this case, the best password in the world was vulnerable, not because of the way it was formed, but because it was so easily accessible to any number of people or entities.
#2 – Passwords should be difficult to guess.
Cybercriminals have massive resources to crack just about any password. But more significant, they have access to millions of stolen account records and use them to build a list of common passwords.
Hackers don’t have to waste time attempting to crack or guess passwords. They can simply buy them for $45. Therefore, even great passwords can be bought or guessed by hackers.
We recommend organizations utilize Microsoft’s Azure AD Password protection. It prohibits known weak passwords and phrases that are specific to the organization. Administrators can create a custom list of blocked passwords (such as product brand names or location names or abbreviations) well-known to insiders.
#3 – Passwords should be too complex to memorize.
There is a direct correlation between the difficulty to crack a password and its length, complexity and uniqueness. Thus, good passwords should be longer than 8 characters and contain a good mixture of upper- and lower-case letters, numbers and special characters such as “@ % $ ~ #.”
The length and composition of such passwords make them difficult to memorize, which is great for security, but hard for a human to control. The control is exponentially more challenging as the number of digital accounts increases. Again, great for security, but difficult to manage without help. Which brings us to point #4.
#4 – Passwords should be well-managed.
Because it is very difficult for a human to control so many unique and complex passwords, we recommend people use a good password manager. A password manager does two things well:
First, it can generate (or create) a unique and complex password. It does this by allowing users to conform to the site’s rules about password length, permitted special characters, and combinations of letters and numbers.
Second, a good password manager remembers complex passwords. The passwords are stored in an encrypted file that can be shared and used by the same user on several devices. A complex password created for an account can be used to access an account via smartphone, tablet, or PC.
A good password manager hits the sweet spot for best practice password security: it automatically generates and stores unique and complex passwords for hundreds of different accounts, and it doesn’t interfere with MFA.
#5 – Passwords should have a password.
Multi-factor Authentication (MFA) forces another layer of security to passwords making fraudulent account access more difficult. With MFA, even if someone has the correct password, they cannot access the account unless they also have a second proof of authentication. It is like a password for the password. (Yes, it is possible for the bad guys to overcome the physical obstacle and defeat MFA, particularly if they live with the person, but the level of difficulty raises the stakes and reduces the likelihood of wide-scale abuse.)
Just about every company can implement MFA on their users’ accounts; most banks already have. Users are familiar with the process of receiving a text to verify account password change or access, for example. We recommend corporate users begin using a recognized digital authentication app such as Microsoft Authenticator to authenticate to corporate networks.
These are the minimum requirements for maintaining proper authentication to sensitive data. Following these three core principles will protect personal and commercial assets. In fact, without this basic framework, no system is safe.
Learn more about the fortifications of a proper Defense in Depth strategy. See how clients strengthen their business with IT security solutions from Peters & Associates.