Best Practices for Password Policies and Management
- May 25, 2023
- Canary Trap
In today’s world, where we rely heavily on digital services and online communication, passwords are the first line of defense against cyber threats. However, data breaches and cyber attacks are all too common, so ensuring the confidentiality of sensitive information has become paramount for individuals and organizations alike.
One crucial aspect of maintaining robust security is the implementation of strong and unique passwords. Passwords are essential for securing our online accounts and ensuring the confidentiality, integrity, and availability of our data. However, passwords are only effective if they are strong, unique, and managed correctly.
That’s why today we want to explore the best practices for password policies and management, and shed light on the importance of utilizing strong passwords to safeguard confidentiality.
Creating Strong and Unique Passwords
“Passwords are the keys to the kingdom of your digital life. Treat them with care.” – NIST (National Institute of Standards and Technology).
According to an article published by Walden University, “Strong passwords are of the utmost importance. They protect your electronic accounts and devices from unauthorized access, keeping your sensitive personal information safe. The more complex the password, the more protected your information will be from cyber threats and hackers.
To start on the path of secure password management, it is essential to understand the characteristics of strong and unique passwords. Experts recommend the following guidelines:
Passwords should be complex enough to prevent guessing and brute force attacks. Unfortunately, that is not always the case. As discussed by experts at Terranova Security: “Despite the increased public importance placed on data security, many still use weak passwords to secure their professional and personal accounts. As per Google, 24% have used the word “password,” “Qwerty,” or “123456” as their account password, while only 34% change their passwords frequently.”
The complexity requirements for passwords may include the use of uppercase and lowercase letters, numbers, special characters, and a minimum length, and they should be defined based on the risk level of the system or service being accessed. For instance, a password used to access a financial system should be more complex than a password used for a social media account.
It’s necessary to avoid using easily guessable information such as names, birthdates, or common phrases associated with you. Use a different password for each online account to prevent a single breach from compromising multiple accounts.
You should also steer clear of easily guessable patterns, such as sequential numbers, common phrases, or personal information. Generating random combinations of characters and avoiding dictionary words will strengthen your password security.
Two-factor authentication (2FA) adds an extra layer of security to password-based authentication by requiring users to provide two forms of identification, such as a password and a code sent to their phone or email. This means that 2FA can prevent unauthorized access to accounts even if the password is compromised.
As mentioned in an article by Terranova Security on best practices for password management, “if a cybercriminal does guess your social network username and password, two-factor authentication forces the criminal to provide a secure PIN to log in. You will receive a notification of the login attempt, alerting you that your password has been hacked. If you receive this notification email or text, refuse access, and change your password and username immediately.”
Many online services offer 2FA as an option, and users should be encouraged to enable it whenever possible. However, it is important to understand that 2FA should not be considered a replacement for strong passwords but rather an additional security measure.
Password managers are software applications that generate and store complex passwords for users, eliminating the need to remember multiple passwords. Password managers can also automatically fill in login information for websites and applications, reducing the risk of phishing attacks and other forms of password theft.
According to the Cybersecurity & Infrastructure Security Agency (CISA), “password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a primary password.”
Creating unique passwords for each website or application being used is an important part in being secure and ensuring if a data breach occurs, the password being used in one system cannot be used to enter another. Password management tools, such as LastPass, Dashlane, or KeePass can simplify the process of maintaining strong and unique passwords.
Password managers should be used in conjunction with strong passwords and 2FA. Users should choose a reputable password manager that uses encryption and has a good track record of security. Password managers should also be protected with a strong master password and 2FA.
One of the most critical aspects of password policies and management is user education. Users should be educated on the importance of strong passwords, the risks of password reuse, and the consequences of password theft. Users should also be taught how to create and manage strong passwords, how to recognize and avoid phishing scams, and how to enable 2FA.
Organizations should provide regular training and awareness programs for employees to ensure that they understand the importance of password security and the potential consequences of a data breach. Education should be ongoing and should include updates on new threats and best practices.
Password Storage and Transmission
Passwords should be stored securely and transmitted securely. Passwords should be encrypted when stored in databases, and the encryption keys should also be protected.
Passwords also need to be transmitted over encrypted channels, such as SSL/TLS, to prevent interception and eavesdropping. That means passwords should never be stored in plain text or sent via email or other unencrypted channels. Passwords should be hashed and salted to prevent brute force attacks and rainbow table attacks.
Password recovery is an essential aspect of password management, but it can also be a security risk if not implemented correctly. Password recovery should be designed with security in mind, and users should be required to provide additional verification before resetting their password.
For instance, users may be required to answer security questions, provide a verification code sent to their phone or email, or provide a photo ID. Additionally, password recovery should not allow attackers to guess the password by answering security questions or using other personal information.
Password Expiration and Reuse
Password expiration and reuse policies can be controversial, but they can also be effective in preventing password theft and reducing the impact of a data breach. Password expiration policies require users to change their passwords periodically, such as every 6 months, while password reuse policies prevent users from using the same password for multiple accounts.
While password expiration and reuse policies can be effective, they can also be burdensome for users and lead to weaker passwords. Organizations should weigh the benefits and drawbacks of such policies and ensure that they are implemented correctly, because with stronger policies and proper training they can be able to spend longer periods of time between password changes.
Though sometimes effective, password reuse might also be very risky. In a research made by Senha Segura, they compiled some alarming statistics on password reuse:
- “According to a survey carried out by Google, at least 65% of people have the habit of using the same password for different services.
- According to information provided by Microsoft, 44 million is the number of accounts vulnerable to hacking due to theft and compromise of passwords.
- 76% of millennials put their accounts at risk through password reuse, according to security.org.
- The Verizon Data Breach Investigation Report points out that password reuse is the reason behind 81% of hacking attacks.”
Lists of Common Words
The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization’s susceptibility to brute force password attacks. Common user passwords include: abcdefg, password, summer, winter etc.
You can create conditions to minimize those types of words so they either cannot be used or count as a single character. Communicating this to users is also important for them to understand what the issue is whenever they type in a new password.
Wrapping It Up
Passwords are a crucial aspect of online security, and password policies and management should be taken seriously. Passwords should be complex, unique, and managed correctly. Two-factor authentication and password managers can provide additional security measures. User education and regular training can ensure that users understand the importance of password security and best practices. Password storage, transmission, recovery, and expiration should be designed with security in mind.
Organizations should implement a comprehensive password policy that considers the risk level of their systems and services, and balances security with user convenience. By following these best practices, organizations can ensure that their passwords are strong and secure, reducing the risk of data breaches and protecting the confidentiality, integrity, and availability of their data.