Having strong password security isn’t a preference — it’s a critical requirement for account security. Here are 10 password security tips that can help you keep your organization’s accounts safe on World Password Day 2021 and throughout the rest of the year
Passwords security boils down to protecting access to your virtual kingdom. Employees use these types of memorized secrets to secure everything from their personal bank accounts to their work accounts that allow them to access your organization’s sensitive systems and data. However, the passwords users create often are neither strong nor secure. Verizon’s 2020 Data Breach Investigation Report (DBIR) shares that lost/stolen credentials and brute force attacks are involved in 80% of the hacking-related breaches that occurred in 2019. This is where having some useful password security tips can come in handy.
Do you know whether your employees are using strong passwords? Are they adhering to password security best practices? And is your IT team implementing best practices for strong password storage and security? In this article, we’ll cover what experts identify as characteristics of a strong password. We’ll also go over a list of 10 password security tips you can implement right away to help better secure your organization.
Breaking Down Password Security Basics: What’s a Strong Password?
What one person considers a strong password is often very different from what actually qualifies as such. And, frankly, password recommendations have changed over time. For example, the FBI says that it’s better to use a strong and long passphrase instead of a traditional password. They describe a passphrase as a combination of words that’s greater than 15 characters in length.
But why is having a longer password (or, moreover, passphrase) better in terms of account security? The National Institute of Standards and Technology (NIST) describes password length as defining factor of password strength and security in their Digital Identity Guidelines (SP-800-63B). “Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.”
However, there are a few key traits or qualities that help you form a strong password (or, more accurately, passphrase):
- Uniqueness. Every account should use a unique password. This means users should never reuse or recycle passwords on accounts or, worse, across multiple accounts. This approach of having a unique password for every account helps to prevent a compromised password from being used in password cracking methods like rainbow tables and brute force attacks.
- Length. We’ve already touched on this guidance from both NIST and the FBI. With this in mind, passwords/passphrases should be at least 15 characters in length (going by the FBI’s recommendation). However, it’s best to encourage your employees to use longer passwords.
- Difficulty. A password should be something that’s hard for someone else to try to guess but easy for you to remember. Even if it uses some common words, a cybercriminal still has to get them in the right order, and with the proper capitalizations, to use them in dictionary attacks.
But using strong passwords isn’t just a good password security best practice — it’s also critical to your organization’s compliance. Regulations like the Payment Card Industry Data Security Standard (PCI DSS), European Union’s General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA) require strong authentication or technical measures for access to help keep sensitive systems and data secure and protect user privacy.
10 Password Security Tips to Implement Within Your Organization
Unfortunately, poor password security practices are common. There are many factors that play into poor password security. It’s not just about employees creating and using weak passwords. Some password security issues result from a lack of employee training, poor password policies, and even poor IT security and password storage practices.
With this in mind, here are 10 password security tips that can help steer you in the right direction.
1. Require Employees to Use Strong Passphrases Instead of Passwords
A traditional password contains uppercase and lowercase letters, numbers, special characters, and at least eight characters in length. By opting to use passphrases instead, you’re making longer and strong passwords that are easier to remember. This can be part of a password policy that you have in place and enforce regularly.
2. Educate Your Employees On Password Security
Don’t leave your employees to flounder — provide them with specific guidance and examples of strong passwords. For example, if you tell them to add special characters or numbers to their passwords, know that they’re likely just going to switch letters for common replacements, like “3” for “E,” “@” for “a,” or adding “!” to the beginning or end of their passwords.
All of this information should be part of their cyber awareness training and should be included in your organization’s password policy. As a note, this type of training should also cover other areas of password security, such as credential phishing methods, and provide other useful password security tips.
3. Only Store Salted Password Hashes
A critical requirement of strong organizational password security is only to store password hash values. The NIST standard we mentioned earlier says that you should never store the passwords themselves and that you must use secure storage methods that are resistant to offline attacks. Hashing and salting (more on the latter in a moment) your passwords is one way to do this.
A hash is a one-way mathematical function (i.e., a hashing algorithm). So, when you hash a password, you’re generating a unique cryptographic hash value that’s too impractical and resource-intensive for anyone to reverse map. The downside of hashing passwords on their own is that if you hash the passwords of two users who use the exact same password (input), it’ll generate the same password hash value (output).
Let’s consider an example to explain this a little more clearly. Say two of your employees, users 1 and 2, are using the same password “B0ringP@ssword.” When you hash the password (in this example, we’ll use the MD5 hash), both user 1 and user 2 will have the same hash digest “46ab95fa1d5e5894ff780359d23a1067.”
This is an issue because cybercriminals can use that information to map or match password hashes to those they keep on file from data breaches. To prevent this from happening and to make those password hashes more complex and secure, you’ll want to add a unique salt to each password first.
A salt is a unique, random number. By salting the password before hashing it, you’re making it so that the password hash values that generate are unique — even if two employees use the exact same password.
Now, let’s see what happens when we apply unique salt values to the same B0ringP@ssword example. If we add “Salt1” to user 1’s password and “Salt2” to user 2’s password before hashing them, you’ll get two entirely different (unique) hash values:
- User 1’s input of “B0ringP@sswordSalt1” becomes the password hash value 94d1d9a4d4ab0553a6ebae030076309d.
- User 2’s input of “B0ringP@sswordSalt2” becomes the password hash value 461fa688da15c267951979eeeeb2acbf.
So, as you can see in the example above, even though both users use the same password, their hash values are unique because of the addition of a salt value in each case.
4. Don’t Require Periodic Password Changes
Although it’s contradictory to traditional password security tips, NIST recommends that you stop requiring employees to change their passwords in SP-800-63B. Why? Because users are more likely to use weak passwords or reuse passwords across multiple accounts for the sake of convenience if you require them to do so frequently. Or, they may just add “123” or something similar to the end of their existing passwords. Again, this practice may be convenient but it doesn’t make for more secure passwords.
5. Allow Users to Copy and Paste Passwords Into Login Forms
NIST recommends allowing the copy-paste functionality for password fields because it encourages the use of password management tools and apps. Users can use password managers to generate and store complex passwords. Considering that NordPass reports the average user has upwards of 80 passwords, it’s no surprise that password managers are becoming increasingly popular with certain age groups.
HYPR’s The State of Passwordless Authentication 2021 report shares that 39% of Millennials and 24% of Generation Z adults use password management apps. That’s because password managers offer convenience for individuals who want to use more complex passwords but don’t want to have to remember all of them individually.
6. Disable Password Hints
Although password hints may seem like a great idea, they actually pose a significant risk to account and password security. As such, NIST guidelines specifically state that you shouldn’t allow users to store hints that are viewable to unauthenticated users. Furthermore, they also speak out against using specific types of personal information for password security verifiers, such as “what is your mother’s maiden name?”
7. Develop a Password Blacklist to Compare User-Generated Passwords/Passphrases Against
Integrate various lists into your password security system to force users to create more secure passwords. For example, you can create “blacklists” of passwords or passphrases that employees can’t use. You can develop these lists using:
- Lists of the common words that you can find in the dictionary (and other interesting words),
- Lists of common passwords (such as “qwerty” or “1234567890”), and
- Repetitive or sequential characters or numbers (such as typing “11111111” or “poiuytr” on your device’s keyboard).
If a user tries to use one of these prohibited options, prevent the password creation process from moving forward until they enter a different password or passphrase.
8. Make Breached Password Lists Another Password Security Bulwark
Much like the previous item on our list, you can use lists of known breached passwords as another password creation security measure. That’s because breached password lists are easy to find online and make great resources for your organization. If any of the passwords users try to create match the ones on your lists, your system will automatically require them to enter a different value.
You can find massive breached password lists on the website haveibeenpwned.com.
9. Require Users to Use a VPN When Connecting to Your Secure Resources
Most password security tips only focus on recommendations for creating strong passwords. But another important aspect of password security is ensuring that users are using secure connections when logging in to your internal sites, web apps, and other secure resources.
A virtual private network (VPN) is a great option for employees who are working remotely. That’s because a VPN allows users to enter their login credentials to connect and transmit data securely over the internet using encrypted connections. Without encryption, any data you transmit — including your usernames and passwords — bounces around the internet in an unsecure (i.e., readable) format. This plaintext data is something that cybercriminals and other bad guys can easily intercept, steal, modify or use without your permission.
10. Get Rid of User Passwords Altogether
The final password security tip we’re going to share isn’t about passwords but, rather, the absence of them within your organization. Passwordless authentication methods such as multi-factor authentication and PKI certificate-based authentication are great password security alternatives that are gaining traction. The HYPR report we mentioned earlier says their team was surprised to discover that the majority of their survey respondents already use passwordless technologies in their personal and professional lives.
But why are passwordless authentication methods becoming so popular? Frankly, it’s because you get the best of both worlds (and then some!). From a user perspective, it makes proving their digital identities and authenticating online a whole lot easier. From an organizational perspective, it’s a way to save IT-related time, labor and resources. HYPR reports 90% of their survey respondents’ organizations experienced phishing attacks in 2020 that “incurred significant helpdesk costs from password resets.”
To summarize, passwordless authentication methods offer:
- Greater security for your organization than traditional passwords,
- A better experience for your users, and
- Reduced IT costs and credential compromise risks for your organization.
Passwords aren’t going anywhere anytime soon. They’re still something that every organization is going to have to deal with for years to come. This is why we hope these password security tips come in handy for you and your IT security team.
