Password Management Best PracticesJohn LeMay
We are all familiar with the pain associated with managing a variety of passwords for online accounts and services in our personal lives. Add to that list the various accounts and passwords needed in our professional lives, and the list quickly becomes overwhelming. It is easy to fall into the trap of reusing passwords or using passwords that are too simple. Poor password management practices can lead to significant losses for you or your organization.
Not following a few best practices regarding password management can lead to disaster if these passwords or guessed, cracked, or otherwise stolen. For businesses and individuals alike, the risk of financial loss is significant due to poor password policies. Organizations run the additional risk of exposing sensitive client or customer data which can result in financial penalties, legal issues, and damage to the reputation of the organization.
Weak passwords based on common words or that are very short are easily guessed or cracked by cybercriminals. Most systems today no longer allow very simple passwords to be used. Still, some remain and leave decisions regarding password strength entirely up to the user.
Data collected by security firms has shown that up to 75% of people admit to using the same password for multiple accounts. When passwords are reused, it is much easier for bad actors to gain access to multiple accounts furthering the damage to an individual or organization. Reused passwords are still a critical factor in many cybersecurity events. Developing and adopting good password management practices are vital to the safety of both personal and business resources.
Components of Password Management
A well-designed approach to password management is composed of policies, discipline, and tools that help create, track, and safeguard passwords across various systems. Adopting the best practices outlined below can help protect passwords both in our personal and professional lives.
Using strong passwords is essential for all accounts, regardless of how unimportant a particular account is. Many account profiles contain personal or business information such as names, addresses, and other information. While this information may not seem important or sensitive, this data can be harvested if the password protecting it is compromised. Combined with additional data gathered elsewhere, a more complete and potentially damaging data set may emerge.
The first key to strong passwords is length. Longer passwords are harder to guess or crack than longer passwords. Most experts have agreed that a minimum length for a strong password is in the range of 12-14 characters. There is no reason they cannot be longer, but passwords much longer than 15 characters may not increase security to a significant degree.
Beyond password length, there are two primary methods of creating strong passwords. The first method recommends using multiple character types – both uppercase and lowercase letters, numbers, and special characters – are called for in this approach.
The second method of creating a strong password does not rely on character types but instead recommends using a “passphrase”. A passphrase is a combination of words that can make a password easier to remember while being long enough to make it difficult to guess or crack.
These methods may also be combined. Using a series of words in a mix of uppercase and lowercase characters and perhaps adding some numbers and special characters creates a very strong password that is both difficult to crack and relatively easy to recall and to type.
Even following these methods, you wouldn’t want to try to memorize a long list of these passwords. More tools are required beyond strong passwords for a complete password management solution.
Never Reuse Passwords
As mentioned above, reusing passwords is a poor password management practice and should be avoided. Always select different passwords for each account, service, application, or device. Stolen and cracked passwords are commonly sold among cybercriminals. It is easy for one of these bad actors to try the same password across hundreds of different systems in an attempt to exploit reused passwords.
Shared Passwords are Insecure Passwords
Passwords should not be shared. Using so-called “common accounts” where multiple people know the credentials and password for a system is common in smaller organizations. This method of sharing passwords is a bad practice that should be avoided. Instead, each user of a system should have their own password to the system.
Protect Privileged Passwords
Some systems in both our personal and professional lives contain sensitive data such as financial information, personal information about family members, employees, clients, or customers. These credentials should be handled with extra care.
Ensure that privileged accounts and passwords are protected by controlling who may access those credentials. Password managers or password “vaults” provide an excellent place for storing these privileged account credentials.
Implement Multi-Factor Authentication
Multi-factor authentication (MFA), also called two-factor or second-factor authentication, is an important piece of any password protection plan. MFA provides a challenge to users once they have provided system credentials. This challenge requires the user to provide another piece of information, such as a code from an authenticator application. The user is not granted access to the system until they properly respond to this challenge.
Not all MFA solutions are created equal. Early implementations of MFA sometimes used a code sent to an email address or sent via text message to a mobile device. Today these methods are no longer considered acceptable. Bad actors have found ways around these types of systems.
Instead, most MFA implementations today rely on authenticator applications installed on mobile devices. These applications provide a time-limited code to be used when an application requests an MFA response. Prior to use, each application must be configured in the authenticator application for each user.
Never Use Browser Password Storage
Today, most internet browsers provide a method for storing accounts and passwords for ease of use. However, these password storage tools are prime targets for cybercriminals. It is recommended that browser password storage systems not be used and that the feature be disabled for all users.
Instead of browser-based password storage, the use of a dedicated password manager system is recommended.
Implement a Password Manager
Password manager applications have been around for many years and are quite mature. These tools offer ways to secure passwords and other items such as notes or important account numbers. Almost all password managers available provide access via a web browser, mobile device, and an installed application.
Many of these tools support access by groups of users to the same information. Shared access allows organizations to manage credentials for many systems centrally. The administrator of the password manager tool determines who among the shared group is allowed to view, access, or change those credentials.
How Oceantec Can Help
Oceantec commonly assists clients in developing strong password management capabilities for their organization. Our team can work with you to develop policies and training resources to help support your password management efforts. We can also assist with identifying and deploying tools for both MFA and Password Manager functions.
Additionally, our security services can provide monitoring, detection, and reporting services that help you identify user or applications credentials that have been compromised and assist with remediation efforts.
Contact Ocenatec today to learn more about our consulting and managed technology services.