Most people use a Password Manager to save their account passwords. A password manager is an app or device which serves as a single collection point for all of a user’s account credentials. LastPass and Dashlane are two well-known password managers in the market. The usage of a password manager presents a security risk in case of a data breach. In fact, as per the Independent, the password manager LastPass was hacked and a data breach did occur, compromising user credentials.
Another high-risk method that many users follow is to save their passwords in their browsers, and use auto-fill for convenience.
In today’s world, data breaches are the highest level of threat – don’t forget, all your data is being protected by your passwords! No security initiative can come with 100% convenience – but it is important to understand and prioritize security.
This is even more important for enterprises, where the tools they are providing their users to manage their passwords are eventually protecting the company’s data.
There are enterprise IAM tools available in the market which help enterprises to provide a secure single sign-on (SSO) and other access control lists such as IP- and device restrictions, time and location restrictions, and multi-factor authentication. These functionalities help end users as well as administrators to protect company data with additional layers of protection.
Delving deeper into MFA as a means to improve password security, the trend today is that many leading SaaS providers have started deprecating SMS as the medium to send the OTP, since this is an old-school method and comes with dependencies in order to serve its purpose. The modern and more convenient way to run an MFA is using TOTP and push notification.
Implementing a single sign-on (SSO) with an MFA is a powerful way to boost the security of your passwords while ensuring a minimal compromise on the convenience front. And of course, type your password each time instead of saving it in your browser or a password manager to minimize the security risk.
Your password – your secret passphrase or PIN that you use for your email, social media profile, or applications at work – is necessary for you to gain access to your accounts. But more importantly, your password plays a critical role in ensuring that no one else has access to your accounts, ensuring the security and privacy of your own as well as your organization’s data and applications.
With advancements in technology, it is important to be aware that there are equally advanced ways in which people steal information belonging to others, and even more ways through which they can misuse that information. Therefore, it goes without saying that secure passwords are of prime importance.
Common Password-Related Mistakes
You can’t blame yourself for being naturally inclined to choose a simple password that will be easy to remember. Unfortunately, these are the very same passwords that are also easy to guess or crack with a hacking software. Remember that, if information about you that can be found online – your date of birth, favourite colour, pet’s name, and so on – is incorporated into your password, it becomes even more vulnerable.
Another mistake made by most people is that a common password is used across multiple online accounts. The problem with doing this is, if someone manages to crack your password to one account, you are giving them free access to the rest!
Writing down your password or saving it somewhere online? This is a very naive act that can put your entire online data at risk of being accessed and stolen easily. Some of the other mistakes you might be making when it comes to passwords is that you don’t change the factory-set or default password, you use the same password for too long, and so on.
Tips to Set Up a Secure Password
Create a long password with a minimum length of 10-12 characters
Use a combination of uppercase letters, lowercase letters, numbers, and special characters
Special characters need to spread out across the password and not be limited to the first or last place
Do not use the same password for multiple security points
Change your passwords every 1-3 months
Avoid using words with obvious references to your personal life
Avoid using dictionary words as a whole
Passwords in the Workplace
In the workplace, the importance of a secure password is further amplified because the breach of a corporate network can have consequences that will affect the entire business.
Employees, who are otherwise the biggest assets to a company or business, also become the weakest link in the security chain protecting its data. The reason? Poor password selection and the subsequent compromise to data security. A single password, if compromised, can open the security gates and let intruders in.
Combating Weak Passwords in the Workplace
A good password policy is the weapon of choice when it comes to combating the threat of weak passwords.
A password policy is a set of guidelines that help users set up strong and secure passwords. When a password policy is enforced, a user is not allowed to create a password that does not abide by these guidelines.
Some essential features of a password policy are:
1) Password Length & Complexity Requirement
The password policy ensures that every password created is of a minimum length (for example, at least 6 characters long) and needs to use a variety of character types (uppercase letters, lowercase letters, numbers, special characters).
2) Minimum & Maximum Password Age
This part of the password policy decides how often a password is to be changed. Ideally, a good password policy ensures the expiry of a password once in 3 months, so the user is forced to create a new password. However, if a policy prompts the user to change their password too often, they may be tempted to write it down or store it elsewhere. This, again, will compromise security.
3) Password History
When a user is prompted to change a password, he/she may tend to reuse a password they had earlier used for the same application. By enforcing a good password policy, users will not be allowed to reuse an old password at least for another 5 times.
4) Number of Failed Attempts
A password policy also establishes the maximum number of invalid attempts allowed before an account will be locked out temporarily. Once locked, the account may need administrator support to be unlocked and made accessible again.
Beyond Password Security
For companies and businesses that use highly-sensitive data, it may be required to go one step beyond just a good password policy that enforces strong passwords. In such cases, a two-factor or multi-factor authentication functionality may be enforced, where additional layers of security are integrated into the sign-in process.
With such a functionality, users will be required to re-validate their identity using one or more of the following:
A one-time password or PIN
A thumbprint or retina scan
A Yubikey, smart card, USB token, or magnetic strip card
Are your users’ weak passwords keeping you up at night? Speak to us to see how Akku can help with Password Policy Enforcement and Multi-factor Authentication.